I wanted to ask how one would check who has access to subfolders in a certain directory on a server using either the CMD or Powershell?
For NTFS permissions I like to use the NTFSSecurity PowerShell Module as the output is similar to the windows permissions GUI.
It has simple commands for adding and removing permissions, which is an ugly process using the standard acls commands!
To see current NTFS permissions using this module:
Get-NTFSAccess -Path "\\server\share\folder"
Which would give an output like this:
You are looking for icacls. From cmd type icacls directoryname /t replacing directoryname with the actually directory name to display all of the access permissions for the directory and subdirectories. The /t flag specifies to look in subdirectories. For more info just type in icacls into cmd or look at this link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
Related
I'm trying to fix permissions on users folders created with Folder Redirect. I need "Domain Admins" group to have full access. Everything works as long as folder name is not using unicode characters. And there a quite many folders like that :(
For example: ICACLS changes Ł to A, ł to B...
D:\Path\Path>icacls ęóąśłżźćń
icacls ↓ˇ♣[B|zD
↓ˇ♣[B: The filename, directory name, or volume label syntax is incorrect.
'zD' is not recognized as an internal or external command,
operable program or batch file.
D:\Path\Path>icacls ĘÓĄŚŁŻŹĆŃ
icacls ↑Ë♦ZA{y♠C
↑Ë♦ZA{y♠C: Successfully processed 0 files; Failed processing 1 files
The filename, directory name, or volume label syntax is incorrect.
I tried changing chcp to various values, nothing worked (by default my cmd uses 852). Tried changing fonts used by cmd, also didn't help.
Is it possible to make ICACLS understand Polish? :)
EDIT: weird thing is, when i use ICACLS as 'system', it behaves like above. When used with mu user rights, it properly reads unicode characters.
EDIT2:
where icacls ran as user
C:\Users\Administrator.CEO>where icacls
C:\Windows\System32\icacls.exe
where icacls ran as system
C:\Windows\system32>where icacls
C:\Windows\System32\icacls.exe
i try to run icacls commands from cmd window, not as .bat or .cmd files, for example
icacls "D:\FolderRedir\IT\Stanisław Smólski" /grant "Domain Admins":F
output changes ł and ó to other characters, and icacls is unable to locate the file/directory
Not sure what exactly was wrong - we had a problem with one ups today and server was forcefully restarted. After the restart (and unexpected Windows update that used the restart oportunity) i tried icacls again, and... it worked with all the Polish characters.
I guess the problem solved itself.
world !
I'm very new to the scripting world but I'm currently trying to automate a process a work that involves in moving a folder and its contents to the windows directory on C:.
currently, I have this
Copy-Item -Path "C:\Java Config Files*" -Destination "C:\Windows\" -R
it's returning with an error message
Copy-Item : Access to the path 'C:\Windows\Java Config Files' is denied.
any thoughts how I can elevate privileges without having to run the script as admin? or if there is a cmdlet that could achieve this?
fixed by running as admin by adding runAS cmdlet
I'm getting the information I need out of the line, although when I go to export the information, I get an error.
When I run this code:
get-process | Export-csv -Path "C:\export.csv" -NoTypeInformation
I get this error:
Export-csv : Access to the path 'C:\export.csv' is denied.
At line:1 char:14
+ get-process | Export-csv -Path "C:\export.csv" -NoTypeInformation
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How can I export to CSV?
You need to use an admin console or change the location of the csv file to C:\temp or something. The home drive require admin permissions.
EDIT:
The elevation requirement is only with system directories like:
C:\
C:\Windows
C:\Program Files
C:\Program Files (x86)
C:\Users
Notice that you can change C:\Users\<YourUserName> but not any other directories under C:\Users. Windows was built for multiple users even if you may be the only one using it. The above directories are common for all users and changing its contents would effectively change the Windows environment for other users too since windows rely on the integrity of these directories. Allowing a normal user to delete/modify/add files to these could have dangerous results for the OS and other people who use it.
So it tries to makes sure that only an Admin user is authorized to make changes to it. It is also the same reason why you get prompted for admin permissions when installing a software. It is installed to C:\Program Files or C:\Program Files (x86), make changes to the registry and is available to all users of that computer. Same with removing it. If a program does not require to do that, it doesn't require admin privileges. Eg: Portable softwares. Some programs only use the user directory or users temp directory C:\Users\<Username>\AppData\Local\Temp. Such programs are only available to the user that installed it.
If you have a custom directory like C:\myGames, adding files to it wont require elevation. So C:\Temp is just another directory like that. You will also notice that C:\ will let a normal user create a folder but not a file.
SUMMARY: Any changes that affect other user directories or the windows environment will require admin rights. Others don't.
In my case, the error occurred because I failed to specify the file name. The correct syntax is;
Export-Csv -path ".\targetList.csv"
and not -path "."
I am embarrased that I have to ask this, but as the syntax of icacls apparently has changed in powershell, I seem to be unable to assemble a working command.
What I am trying to do:
I want to remove all permissions from a specific folder and then add the "Current logged on user" and "SYSTEM" to have Full Control. But not Admins or anything else.
What I have:
icacls $MyFolder /inheritance:r /grant: $Domain\Env:Username:(OI)(CI)F /T /grant: SYSTEM:(OI)(CI)F /T
But everytime when I execute the command I get an error
(OI)(CI) /T has not been recognized as a cmdlet or command...
I have read some tricks on the internet to use different kind of quotes or backticks for the parameters, but nothing worked for me.
Can anyone please tell my what I am doing wrong here?
As you've hinted at, the issue here isn't that the syntax is icacls has changed in PowerShell but rather that PowerShell can act strangely when executing an external command (executable) that takes arguments.
There's several ways to handle arguments, one of which is to pass them as an array of strings:
$IcaclsArgs = #(
$MyFolder,
"/inheritance:r",
"/grant",
"$Domain\$($Env:Username):(OI)(CI)F",
"/T",
"/grant",
"SYSTEM:(OI)(CI)F",
"/T"
)
& icacls #IcaclsArgs
I have a bunch of user directories on a Unix server not attached to active directory, but, nearly all the directories are named the same thing as their username in AD. I'm migrating my file server over to Windows, which is bound to AD, but the permissions aren't moving over.
What I need to do is somehow chown (takeown) all the directories in that user folder over to their AD user. In *nix, I'd do something like this:
cd /home
find * --max-depth 0 -exec chown -R {} {} \;
But I can't seem to find anything with PowerShell that will do it. I get 90% of the way there, but end up with errors that it can't assign ownership, etc. This MAY be due to the SeRestorePrivilege, etc, but setting those doesn't seem to help either.
Does anyone have a suggestions, a solution, etc?
File ownership doesn't matter as much in Windows as it does in Linux/Unix, because Windows ACLs are far more versatile than traditional Unix permissions. Just pass ownership to the Administrators group and grant full permissions to SYSTEM, the Administrators group, and the user whose directory it is, replacing the existing permissions. Use takeown and icacls to do so.
Get-ChildItem 'D:\home' -Directory | ForEach-Object {
$path = $_.FullName
$user = $_.Name
& takeown /f "$path" /r /a
& icacls "$path" '/grant:r' 'SYSTEM:(OI)(CI)F' 'Administrators:(OI)(CI)F' "DOMAIN\${user}:(OI)(CI)F"
}
Add read/execute permissions for other users/groups as you see fit.