I need to generate an ACL Report for NAS Shares, even for folders where the local administrators group has been removed from those files.
Some application can use the privilege to bypass traverse checking and or bypass ntfs permissions, similar to what robocopy does.
Treesize is a tool I used but it does not work in the way I need, it would only get the ntfs acls correctly for the first level of the folder where I do not have access, but if there are other subfolders, it will fail to obtain the information.
Subinacl seems to work fine, but here is my question has anyone share idea how to manipulate data so this can be accomplished using this tool. The report is not showing the permissions directly instead it is showing hex codes representing the actual permissions.
I read that powershell might also be able to do this but I have no idea or I could not find any code related to this.
If you have a good reason to see those permissions, hopefully someone with access can help, or at least grant you the Read permissions permission.
Parsing the text from subinacl will take work, as you've noticed. (Scroll down to the permission element for translations of those codes you're asking about.) I've never used ShareEnum from Sysinternals, but maybe that's a step in the right direction.
PowerShell's Get-Acl returns objects, maybe easier to report from. But before Get-Acl will see those subfolders, you might need to change object ownership. PowerShell can do that, depending on the context, but the admins might prefer a friendly knock before you start picking locks, if you catch my drift. Here is some guidance from Server Fault.
Related
I've tried around a bit, but haven't come up with a good result yet. My powershell skills are also a bit rusty.
What do I have in mind?
I want to read all security groups from a folder. For each security group I search in a domain (Active Directory) for the group and get all users contained in it.
Afterwards I add the user with the same rights again extra to the folder.
Reason: I search for the group or the user in another domain. Both domains are accessible from the same server. The groups will be removed at some point.
How can I do this? I have already tried a bit to read out groups (Get-Acl) etc, but I do not get further.
I do not ask for a complete solution, but just need hints how I could do this. Possibly also how this is then called in Powershell etc.
I'd like to find an automatic way to share OneDrive files with a specific internal user, what's the best approach? My current scripts are using PowerShell, but that's not a hard requirement.
I've tried:
https://learn.microsoft.com/en-us/graph/api/driveitem-invite?view=graph-rest-1.0 - what's the best library to use for this? I've created an AzureAD app with the appropriate delegated permissions. In PowerShell, once I run Connect-MgGraph, what method can I run to call this?
https://learn.microsoft.com/en-us/powershell/module/sharepoint-pnp/set-pnplistitempermission?view=sharepoint-ps - but my OneDrive items aren't part of a list. Could they be? The folder permission works well: https://learn.microsoft.com/en-us/powershell/module/sharepoint-pnp/set-pnpfolderpermission but I don't understand why there isn't a file one just like this folder one
I know the absolute URL of the file, the UPN of the internal user I want to directly share with, and I have owner permissions to the file. How can I do this?
I accomplished writing an application code in Matlab. I create a .mat file and save data into it somewhere in the code. I converted it to a standalone application file.(exe) However, I don't want to give permission to the user to see and modify this .mat file because the application uses that file in the next executions. For this reason, I changed the permission settings by right clicking the folder and:
properties-Security-Advanced-Changed Permission
However, after changing the permission, the code cannot reach that file and fails while executing. How can I handle it?
To my opinion you are approaching this the wong way. To make that concept working, your application would require higher permissions than the user has, especially the user may not modify permissions. For the majority of self-administrated PCs this is impossible, because the primary user has full administrative rights, allowing to modify folder permissions.
For such cases the typical solution is encryption. Assume everyone can access your files, store only encrypted files to the hard drive.
I have been struggling a bit with a cleanup script we have running on user home directories. It is SUPPOSED to delete user folders for employees who no longer work here.
The users are not always smart so I have a large list of potential issues and am looking for the fastest way to delete this users folders.
Issues so far:
ReparsePoints/Junction Points - I need them removed, but not followed... would hate to delete something the user linked to for some stupid reason
Long Path Length - Some users have magically created path lengths that are way too long
Need to be able to perform this delete remotely - The techs that will be running this script do not have permission to log directly onto the server, however they have full admin on the locations in question
Attempts so far:
robocopy "c:\temp\empty" $d.FullName /MIR /R:3 /W:1
remove-item $d.FullName -recurse -force
It should be noted I have tried with both UNC and mounted drive letters.
So all that to say I ask you, the brilliant folks of the web. What is the best way to delete a folder, regardless of its content, length or links?
Thanks for any hints or help you can provide
I've gotten comfortable using icacls to add people to file folders but now I am having trouble figuring out how to do the following:
on a folder with many children, g
get the existing permissions on the folder and store them
Add a bunch of new users, propogating to all children and turning on inheritance, replace and force (already working from previous scripts)
check the top level folder and remove any permissions not placed on in step 2.
now that the parent folder has the correct permissions and all children have inheritance set, set all children to have the same permissions as the parent (recompute acl inheritance?)
thanks for any help you all can provide, I just need a push to get into the right direction.
If you're using PowerShell, you don't need icacls (which returns text instead of objects) since you have have Get-Acl and Set-Acl. However, the help for those two commands is severely lacking, so I recommend supplementing with the .NET framework.
http://technet.microsoft.com/en-us/library/ff730951.aspx is a very good article on ACLs using the .NET framework in PowerShell. If you need more in depth information on System.Security.AccessControl, go to http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.