如何使用Powershell与FileSystemRights进行比较? [英] How can I compare against FileSystemRights using Powershell?

问题描述

我想检查给定用户是否有权访问给定文件夹-通过检查用户是否具有分配给他们的修改"访问权限.

I want to check whether a given user has access to a given folder - by checking if they have "Modify" access assigned to them.

我认为那的PS是:

(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{$_.filesystemrights.value -contains "Modify"} 

但是最后的那部分是行不通的-我没有得到任何结果.但我知道他们具有修改"访问权限-如果我输入:

But the final part of that isn't working - I get back no result. But I know that they have Modify access - if I put in:

(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} | select -ExpandProperty filesystemrights

然后我回来:

Modify, Synchronize
ReadAndExecute, Synchronize

这是因为FileSystemRights属性是一个枚举吗?如果是这样，我该如何对此进行测试?

Is this because the FileSystemRights property is an enumeration? And if so, how do I test against it?

推荐答案

这是类型问题.(Get-Acl.\ myfolder).Access [].FileSystemRights 的类型为 System.Security.AccessControl.FileSystemRights .它不是真正显示字符串.要使其成为字符串，只需使用 ToString()方法:

It's a type problem. (Get-Acl .\myfolder).Access[].FileSystemRights is of type System.Security.AccessControl.FileSystemRights. It's not really displaying a string. To make it a string, just use the ToString() method:

(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{$_.filesystemrights.ToString() -contains "Modify"} 

或者您可以使用按位比较方法.但是，当您要使用此功能时，很容易混淆:

Or you can use the bitwise comparison method. However, it's very easy to confuse when you want to use this:

($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq [System.Security.AccessControl.FileSystemRights]::Modify

当您要使用此功能时:

($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq $_.FileSystemRights

它们的含义截然不同.例如，如果您具有完全控制"，则前一个测试仍然适用.那是你要的吗?还是您想知道 FileSystemRights 是字面意义还是 Modify ?

They have very different meanings. For example, if you have Full Control, the former test is still true. Is that what you want? Or do you want to know when the FileSystemRights are literally just Modify?

此外， [System.Security.AccessControl.FileSystemRights] 是不完整的枚举.在我的环境中，我发现需要此表:

Also, [System.Security.AccessControl.FileSystemRights] is an incomplete enumeration. In my environment, I found I needed this table:

+-------------+------------------------------+------------------------------+
|    Value    |             Name             |            Alias             |
+-------------+------------------------------+------------------------------+
| -2147483648 | GENERIC_READ                 | GENERIC_READ                 |
|           1 | ReadData                     | ListDirectory                |
|           1 | ReadData                     | ReadData                     |
|           2 | CreateFiles                  | CreateFiles                  |
|           2 | CreateFiles                  | WriteData                    |
|           4 | AppendData                   | AppendData                   |
|           4 | AppendData                   | CreateDirectories            |
|           8 | ReadExtendedAttributes       | ReadExtendedAttributes       |
|          16 | WriteExtendedAttributes      | WriteExtendedAttributes      |
|          32 | ExecuteFile                  | ExecuteFile                  |
|          32 | ExecuteFile                  | Traverse                     |
|          64 | DeleteSubdirectoriesAndFiles | DeleteSubdirectoriesAndFiles |
|         128 | ReadAttributes               | ReadAttributes               |
|         256 | WriteAttributes              | WriteAttributes              |
|         278 | Write                        | Write                        |
|       65536 | Delete                       | Delete                       |
|      131072 | ReadPermissions              | ReadPermissions              |
|      131209 | Read                         | Read                         |
|      131241 | ReadAndExecute               | ReadAndExecute               |
|      197055 | Modify                       | Modify                       |
|      262144 | ChangePermissions            | ChangePermissions            |
|      524288 | TakeOwnership                | TakeOwnership                |
|     1048576 | Synchronize                  | Synchronize                  |
|     2032127 | FullControl                  | FullControl                  |
|   268435456 | GENERIC_ALL                  | GENERIC_ALL                  |
|   536870912 | GENERIC_EXECUTE              | GENERIC_EXECUTE              |
|  1073741824 | GENERIC_WRITE                | GENERIC_WRITE                |
+-------------+------------------------------+------------------------------+

比较这些输出很有趣:

[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]);
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) | % { "$($_.ToString())`t`t$([System.Security.AccessControl.FileSystemRights]$_.ToString())`t`t$(([System.Security.AccessControl.FileSystemRights]$_).value__)";}
[System.Enum]::GetValues([System.Security.AccessControl.FileSystemRights]) | % { "$($_.ToString())`t`t$(($_).value__)";}

.net类中没有枚举 GENERIC 权限，但是如果枚举了足够的文件，您将看到该数值.

The GENERIC rights are not enumerated in the .Net class, but you will see that numeric value if you enumerate enough files.

祝你好运！

这篇关于如何使用Powershell与FileSystemRights进行比较?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！