Indented! » permissions

Reading share security with PowerShell

Chris — Fri, 20 Feb 2009 17:31:23 +0000

The cmdlet Get-ACL is very capable when it comes to NTFS permissions, but it cannot read share permissions. This function makes an effort to provide a simple way to return share security (and other information) from a share.

The function makes use of two WMI Classes, Win32_Share and Win32_LogicalShareSecuritySetting. To simplify enumeration each Access Control Entry found within the shares Discretionary Access Control List is converted to a FileSystemAccessRule before being added to the Access object, allowing the access to be displayed in a similar way to Access from Get-ACL.

Security information is only returned for shares of type 0, standard shared folders. Security for automatically generated administrative shares will not show. Access is added to the remainder of the information returned by Win32_Share. The Control Flags for the security descriptor are available, but not interesting as they are set to DiscretionaryAclPresent and SelfRelative.

The function accepts two parameters, the name of the share, and optionally the name of a computer. With no parameters, information for all shares on the computer is returned. WQL wildcards are supported (% and _) within the share name.

Get-ShareACL

Function Get-ShareACL {
  Param(
    [String]$Name = "%",
    [String]$Computer = $Env:ComputerName
  )

  $Shares = @()
  Get-WMIObject Win32_Share `
    -Computer $Computer -Filter "Name LIKE '$Name'" | `
    %{
      $Access = @();
      If ($_.Type -eq 0) {
        $SD = (Get-WMIObject -Class Win32_LogicalShareSecuritySetting `
          -Computer $Computer `
          -Filter "Name='$($_.Name)'").GetSecurityDescriptor().Descriptor
        $SD.DACL | %{
          $Trustee = $_.Trustee.Name
          If ($_.Trustee.Domain -ne $Null) {
            $Trustee = "$($_.Trustee.Domain)\$Trustee"
          }
          $Access += New-Object Security.AccessControl.FileSystemAccessRule( `
            $Trustee, $_.AccessMask, $_.AceType)
        }
      }
      $_ | Select-Object Name, Path, Description, Caption, `
        @{n='Type';e={ Switch ($_.Type) {
          0 { "Disk Drive" }
          1 { "Print Queue" }
          2 { "Device" }
          2147483648 { "Disk Drive Admin" }
          2147483649 { "Print Queue Admin" }
          2147483650 { "Device Admin" }
          2147483651 { "IPC Admin" } }} }, `
        MaximumAllowed, AllowMaximum, Status, InstallDate, `
        @{n='Access';e={ $Access }}
  }
}

Example

PS C:\> Get-ShareACL Test

Name           : Test
Path           : C:\Test
Description    :
Caption        : Test
Type           : Disk Drive
MaximumAllowed :
AllowMaximum   : True
Status         : OK
InstallDate    :
Access         : {System.Security.AccessControl.FileSystemAccessRule}

PS C:\> (Get-ShareACL Test).Access

FileSystemRights  : ReadAndExecute
AccessControlType : Allow
IdentityReference : somedomain\chrisdent
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

Get-DsAcl The goal of this PowerShell function is to create a...

Related posts brought to you by Yet Another Related Posts Plugin.

Reading NTFS and Share security with VbScript

Chris — Thu, 19 Feb 2009 17:25:25 +0000

NTFS (File System) and Share security can be enumerated using the Win32_LogicalFileSecuritySetting and Win32_LogicalShareSecuritySetting WMI classes. This post demonstrates how to use each class to read the security descriptors.

In each case the WMI class contains a GetSecurityDescriptor method used to retrieve the Security Descriptor (as a Win32_SecurityDescriptor).

The references section at the bottom of this article include details of sources for all constants. A little PowerShell creeps in to show how the numeric values were retrieved and checked.

DACLs and SACLs

A DACL or Discretionary Access Control List is the most heavily used, it contains Access Control Entries that define who can, and who cannot, access a resource or object. These are seen when viewing the Security tab of an object.

An SACL or System Access Control List defines which actions will be audited when accessing an a resource or object. Seen by accessing the Audit tab through Security and Advanced.

NTFS security vs Share security

Both the NTFS and the Share security descriptor can be read in exactly the same way. However, there are important differences between them.

NTFS security descriptor

Supports inheritance on descriptor and on individual Access Control Entries
Can hold a Discretionary Access Control List and an System Access Control List

Share security descriptor

Has no owner or Primary Group
Control flags will be set (and usually limited) to SelfRelative and DiscretionaryACLPresent
Access Control Entry (ACE) Flags will not be set
Can hold a Discretionary Access Control List only
Supports a sub-set of Access Masks (rights) on each ACE

Getting the security descriptor

NTFS

Dim strComputer : strComputer = "."
' Connect to WMI on strComputer
Dim objWMI : Set objWMI = GetObject("winmgmts://" & strComputer & "/root/cimv2")
' Get an instance of LogicalFileSecuritySetting for C:\
Dim objSecuritySettings : Set objSecuritySettings = _
  objWMI.Get("Win32_LogicalFileSecuritySetting='C:\'")
Dim intReturnValue : Dim objSD
' Request the Security Descriptor as objSD
intReturnValue = objSecuritySettings.GetSecurityDescriptor objSD

Dim strComputer : strComputer = "."
' Connect to WMI on strComputer
Dim objWMI : Set objWMI = GetObject("winmgmts://" & strComputer & "/root/cimv2")
' Get an instance of LogicalShareSecuritySetting for ShareName
Dim objSecuritySettings : Set objSecuritySettings = _
  objWMI.Get("Win32_LogicalShareSecuritySetting='ShareName'")
Dim intReturnValue : Dim objSD
' Request the Security Descriptor as objSD
intReturnValue = objSecuritySettings.GetSecurityDescriptor objSD

Error handling

The GetSecurityDescriptor method of each WMI class (Win32_LogicalFileSecuritySetting and Win32_LogicalShareSecuritySetting) has a return value to allow errors to be handled. The return codes are represented by the constants below.

Const SUCCESS = 0
Const ACCESS_DENIED = 2
Const UNKNOWN_FAILURE = 8
Const PRIVILEGE_MISSING = 9
Const INVALID_PARAMETER = 21

Values in the security descriptor

The security descriptor contains three fields in addition to the DACL and SACL which are described later.

Control flags

Each security descriptor has a ControlFlags field which dictates how the descriptor behaves. This includes settings such as DACLProtected which indicates that the DACL cannot inherit values from a parent.

The script loads the values above into a Scripting.Dictionary object to simplify enumeration.

Dim objControlFlags : Set objControlFlags = CreateObject("Scripting.Dictionary")
objControlFlags.Add 32768, "SelfRelative"
objControlFlags.Add 16384, "RMControlValid"
objControlFlags.Add 8192, "SystemAclProtected"
objControlFlags.Add 4096, "DiscretionaryAclProtected"
objControlFlags.Add 2048, "SystemAclAutoInherited"
objControlFlags.Add 1024, "DiscretionaryAclAutoInherited"
objControlFlags.Add 512, "SystemAclAutoInheritRequired"
objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired"
objControlFlags.Add 32, "SystemAclDefaulted"
objControlFlags.Add 16, "SystemAclPresent"
objControlFlags.Add 8, "DiscretionaryAclDefaulted"
objControlFlags.Add 4, "DiscretionaryAclPresent"
objControlFlags.Add 2, "GroupDefaulted"
objControlFlags.Add 1, "OwnerDefaulted"

Note that they are intentionally entered in order from highest to lowest. A For Each loop will start with the highest value (because it was added first), then compare it to the ControlFlags value. In bitwise comparison, if the integer value can be there, then it must be there, that would all go wrong unless it starts with the highest possible value.

The values and names were taken from the .NET Framework, they can be displayed in PowerShell with the following command.

[Enum]::GetValues([System.Security.AccessControl.ControlFlags]) | `
  Select-Object @{ n='Name';e={[String]$_} }, @{ n='Value';e={$_.value__} }

That logic is applied within the code as follows.

' Read the value of Control Flags from the descriptor
dblControlFlags = objSD.ControlFlags
WScript.Echo "Control Flags:"
' For each possible flag
For Each dblFlag in objControlFlags
  ' If it is possible for the flag to be there, then it must be there
  ' Something like bitwise AND
  If dblControlFlags >= dblFlag Then
    ' Echo the flag, indicating it is present
    WScript.Echo "  " & objControlFlags(dblFlag)
    ' Remove this value from the control flag value,
    ' already found this flag
    dblControlFlags = dblControlFlags - dblFlag
  End If
Next

Primary group

The Primary Group is not very interesting unless Services for Unix is in use. In many cases it will be blank.

If set, it can be enumerated as a Win32_Trustee, an object containing a Domain, Username, SID array, SID length and SIDString.

Owner

As with the Primary Group, the owner is stored as a Win32_Trustee object. It can be read from the descriptor as follows.

WScript.Echo "Domain: " & objSD.Owner.Domain
WScript.Echo "Username: " & objSD.Owner.Name
WScript.Echo "SID: " & objSD.Owner.SIDString

Access control entries in the DACL and SACL

Both the DACL and SACL, if present, consist of one or more Access Control Entries (ACE). The ACE, like the security descriptor, breaks down into a number of different fields.

Access Mask

The access mask defines which rights should be used by the Access Control Entry. In the case of System ACL it defines which actions should be audited.

A number of the right names are omitted from the list below as they carry the same numeric value (mask the same bit), the meaning only changes in the context the right is applied.

Dim objAccessRights : Set objAccessRights = CreateObject("Scripting.Dictionary")
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"

Note that a number of the rights in the list are composites of simpler rights, including Read, FullControl, Write and Modify.

The list can be retrieved, using PowerShell again, with the following command:

[Enum]::GetValues([System.Security.AccessControl.FileSystemRights]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

Holding the flags in this fashion allows the Access Mask to be converted to a friendly form in the same way as the Control Flags were displayed.

' For each access control entry in the discretionary access control list
For Each objACE in objSD.DACL
  WScript.Echo "Access Mask:"
  ' Read the value of the access mask from the Access Control Entry
  dblAccessMask = objACE.AccessMask
  ' For each possible Right
  For Each dblAccess in objAccessRights
    ' If the right can be there then it must...
    If dblAccessMask >= dblAccess Then
      ' Echo the right name
      WScript.Echo "  " & objAccessRights(dblAccess)
      ' Remove the value from the access mask,
      ' already found this right.
      dblAccessMask = dblAccessMask - dblAccess
    End If
  Next
Next

Flags

The flags on an Access Control Entry defines whether the entry applies to Leaf or Container objects, how it behaves when inheritance is calculated, and whether or not the ACE is inherited or explicit.

Dim objAceFlags : Set objAceFlags = CreateObject("Scripting.Dictionary")
objAceFlags.Add 128, "FailedAccess"
objAceFlags.Add 64, "SuccessfulAccess"
objAceFlags.Add 16, "Inherited"
objAceFlags.Add 8, "InheritOnly"
objAceFlags.Add 4, "NoPropagateInherit"
objAceFlags.Add 2, "ContainerInherit"
objAceFlags.Add 1, "ObjectInherit"

Heading back to PowerShell again we can find the the names and values for these.

[Enum]::GetValues([System.Security.AccessControl.AceFlags]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

A few are intentionally left out as they are composites of values more interesting to display separately.

Enumeration of the Access Control Entry flags is performed as follows.

' For each access control entry in the discretionary access control list
For Each objACE in objSD.DACL
  WScript.Echo "ACE Flags:"
    ' Read the value of ACE Flags from the Access Control Entry
  dblAceFlags = objAce.AceFlags
  ' For each possible flag
  For Each dblFlag in objAceFlags
    ' If the flag can be there then it must...
    If dblAceFlags >= dblFlag Then
      ' Echo the name of the flag
      WScript.Echo "  " & objAceFlags(dblFlag)
      ' Found it, remove it to note that it has been found.
      dblAceFlags = dblAceFlags - dblFlag
    End If
  Next
Next

Trustee

The value for the trustee (Win32_Trustee), the security principal (user, group, computer, etc) the right applies to is enumerated in the same way as the Owner above.

For Each objACE in objDACL
  WScript.Echo "Domain: " & objACE.Trustee.Domain
  WScript.Echo "User: " & objACE.Trustee.Name
  WScript.Echo "SID: " & objACE.Trustee.SIDString
Next

Type

Finally, the ACEType consists of three values which define whether the ACE permits access, denies access or is an audit control.

Dim objAceTypes : Set objAceTypes = CreateObject("Scripting.Dictionary")
objAceTypes.Add 0, "Allow"
objAceTypes.Add 1, "Deny"
objAceTypes.Add 2, "Audit"

Once again, we can discover all of the possible values for AceFlags using PowerShell.

[Enum]::GetValues([System.Security.AccessControl.AceType]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

However, this time the only values that are used in the script are 0 (Allow), 1 (Deny), and 2 (Audit).

' For each access control entry in the discretionary access control list
For Each objACE in objDACL
  ' Echo the type: Allow, Deny or Audit.
  WScript.Echo "ACE Type: " & objAceTypes(objAce.AceType)
Next

Listing permissions for all Shares

Time to put all of that together. This sample lists the NTFS and Share permissions for each share configured on strComputer.

Option Explicit

' WMI Constants

Const WBEM_RETURN_IMMEDIATELY = &h10
Const WBEM_FORWARD_ONLY = &h20

' Constants and storage arrays for security settings

' GetSecurityDescriptor Return values

Dim objReturnCodes : Set objReturnCodes = CreateObject("Scripting.Dictionary")
Const SUCCESS = 0
Const ACCESS_DENIED = 2
Const UNKNOWN_FAILURE = 8
Const PRIVILEGE_MISSING = 9
Const INVALID_PARAMETER = 21

' Security Descriptor Control Flags

Dim objControlFlags : Set objControlFlags = CreateObject("Scripting.Dictionary")
objControlFlags.Add 32768, "SelfRelative"
objControlFlags.Add 16384, "RMControlValid"
objControlFlags.Add 8192, "SystemAclProtected"
objControlFlags.Add 4096, "DiscretionaryAclProtected"
objControlFlags.Add 2048, "SystemAclAutoInherited"
objControlFlags.Add 1024, "DiscretionaryAclAutoInherited"
objControlFlags.Add 512, "SystemAclAutoInheritRequired"
objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired"
objControlFlags.Add 32, "SystemAclDefaulted"
objControlFlags.Add 16, "SystemAclPresent"
objControlFlags.Add 8, "DiscretionaryAclDefaulted"
objControlFlags.Add 4, "DiscretionaryAclPresent"
objControlFlags.Add 2, "GroupDefaulted"
objControlFlags.Add 1, "OwnerDefaulted"

' ACE Access Right

Dim objAccessRights : Set objAccessRights = CreateObject("Scripting.Dictionary")
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"

' ACE Types

Dim objAceTypes : Set objAceTypes = CreateObject("Scripting.Dictionary")
objAceTypes.Add 0, "Allow"
objAceTypes.Add 1, "Deny"
objAceTypes.Add 2, "Audit"

' ACE Flags

Dim objAceFlags : Set objAceFlags = CreateObject("Scripting.Dictionary")
objAceFlags.Add 128, "FailedAccess"
objAceFlags.Add 64, "SuccessfulAccess"
objAceFlags.Add 16, "Inherited"
objAceFlags.Add 8, "InheritOnly"
objAceFlags.Add 4, "NoPropagateInherit"
objAceFlags.Add 2, "ContainerInherit"
objAceFlags.Add 1, "ObjectInherit"

Sub ReadNTFSSecurity(objWMI, strPath)
  WScript.Echo "  Displaying NTFS Security"

  Dim objSecuritySettings : Set objSecuritySettings = _
    objWMI.Get("Win32_LogicalFileSecuritySetting='" & strPath & "'")
  Dim objSD : objSecuritySettings.GetSecurityDescriptor objSD

  Dim strDomain : strDomain = objSD.Owner.Domain
  If strDomain <> "" Then strDomain = strDomain & "\"
  WScript.Echo "  Owner: " & strDomain & objSD.Owner.Name
  WScript.Echo "  Owner SID: " & objSD.Owner.SIDString

  WScript.Echo "  Basic Control Flags Value: " & objSD.ControlFlags
  WScript.Echo "  Control Flags:"

  DisplayValues objSD.ControlFlags, objControlFlags

  WScript.Echo

  Dim objACE

  ' Display the DACL

  WScript.Echo "  Discretionary Access Control List:"
  For Each objACE in objSD.DACL
    DisplayACE objACE
  Next

  ' Display the SACL (if there is one)

  If Not IsNull(objSD.SACL) Then
    WScript.Echo "  System Access Control List:"
    For Each objACE in objSD.SACL
      DisplayACE objACE
    Next
  End If
End Sub

Sub ReadShareSecurity(objWMI, strName)
  WScript.Echo "  Displaying Share Security"

  Dim objSecuritySettings : Set objSecuritySettings = _
    objWMI.Get("Win32_LogicalShareSecuritySetting='" & strName & "'")

  Dim objSD : objSecuritySettings.GetSecurityDescriptor objSD

  WScript.Echo "  Basic Control Flags Value: " & objSD.ControlFlags
  WScript.Echo "  Control Flags:"

  DisplayValues objSD.ControlFlags, objControlFlags

  WScript.Echo

  Dim objACE

  ' Display the DACL

  WScript.Echo "  Discretionary Access Control List:"
  For Each objACE in objSD.DACL
    DisplayACE objACE
  Next
End Sub

Sub DisplayValues(dblValues, objSecurityEnumeration)

  Dim dblValue
  For Each dblValue in objSecurityEnumeration
    If dblValues >= dblValue Then
      WScript.Echo "      " & objSecurityEnumeration(dblValue)
      dblValues = dblValues - dblValue
    End If
  Next
End Sub

Sub DisplayACE(objACE)

  Dim strDomain : strDomain = objAce.Trustee.Domain
  If strDomain <> "" Then strDomain = strDomain & "\"
  WScript.Echo "    Trustee: " & UCase(strDomain & objAce.Trustee.Name)
  WScript.Echo "    SID: " & objAce.Trustee.SIDString

  WScript.Echo "    Basic Access Mask Value: " & objACE.AccessMask

  WScript.Echo "    Access Rights: "
  DisplayValues objACE.AccessMask, objAccessRights

  WScript.Echo "    Type: " & objAceTypes(objACE.AceType)

  WScript.Echo "    Basic ACE Flags Value: " & objACE.AceFlags

  WScript.Echo "    ACE Flags: "
  DisplayValues objACE.AceFlags, objAceFlags
  WScript.Echo
End Sub

'
' Main Code
'

' The system to execute this script against
Dim strComputer : strComputer = "."

' Connect to WMI
Dim objWMI : Set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

' Return all of the shares (Type = 0 means File Shares only, exclude
' are Administrative, Printer, etc)
Dim colItems : Set colItems = _
  objWMI.ExecQuery("SELECT * FROM Win32_Share WHERE Type='0'", "WQL", _
  WBEM_RETURN_IMMEDIATELY + WBEM_FORWARD_ONLY)

Dim objItem
For Each objItem in colItems
  WScript.Echo
  WScript.Echo "Security for " & objItem.Path & _
    " (Shared as " & objItem.Name & ")"

  ReadNTFSSecurity objWMI, objItem.Path
  ReadShareSecurity objWMI, objItem.Name
Next

References

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Finding a user in Exchange mailbox security

Chris — Tue, 28 Oct 2008 11:33:59 +0000

A script to read the mailbox security descriptor from Active Directory with the intention of finding a particular user or security principal. It will not display the security descriptor, it simply displays whether or not the account is present in the access control list.

The script works best when run with cscript as the script uses WScript.Echo to write back whether or not it finds a match.

It can be used against Exchange 2000 or Exchange 2003. Exchange 2007 can use Get-MailboxPermission to query the same information.

MailboxRights is used to retrieve the mailbox security descriptor. As part of CDOEXM (Collaboration Data Objects for Exchange Management) the Exchange System Tools must be installed on the system executing the script.

Option Explicit

' FindMailboxAccess.vbs
'
' Short Script to Find and Enumerate Mailbox Access for the specified
' security principal. Searches current domain, must be run as an Exchange Admin
' account to invoke MailboxRights method.
'
' This script is slow, it's speed is unavoidable as MailboxRights cannot be
' executed until connected to an individual user. That means we have to connect
' to every user account to determine whether or not the security principal is
' present within the ACL.
'
' Author: Chris Dent
' Modified: 04/01/2008

Sub UsageText
  Dim strMessage

  strMessage = "Usage:" & VbCrLf & VbCrLf
  strMessage = strMessage & "cscript " & WScript.ScriptName & _
    " " & VbCrLf
  strMessage = strmessage & VbCrLf
  strMessage = strMessage & "Note: This script must be executed as Exchange " & _
    "Administrator to enumerate" & VbCrLf
  strMessage = strMessage & "the Mailbox Security Descriptor" & VbCrLf
  WScript.Echo strMessage
  WScript.Quit
End Sub

Sub SortArgv
  Dim objArgv

  Set objArgv = WScript.Arguments
  If objArgv.Count < 1 Then
    UsageText
  End If

  strSearchString = objArgv(0)

  Set objArgv = Nothing
End Sub

Sub SearchAD
  Const ADS_SCOPE_SUBTREE = 2

  Dim objConnection, objCommand, objRootDSE, objRecordSet, objUser
  Dim objMailboxSD, objDACL, objACE

  Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"

  Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  Set objRootDSE = GetObject("LDAP://RootDSE")
  objCommand.CommandText = "SELECT distinguishedName, homeMDB " &_
    "FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") &_
    "' WHERE objectClass='user' AND objectCategory='person'"
  WScript.Echo "Searching: " & objRootDSE.Get("defaultNamingContext")
  Set objRootDSE = Nothing

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Timeout") = 600
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  objCommand.Properties("Cache Results") = False

  Set objRecordSet = objCommand.Execute

  While Not objRecordSet.EOF
    On Error Resume Next
    If Not IsNull(objRecordSet.Fields("homeMDB")) Then
      ' Can't avoid connecting to the user, need to call the MailboxRights method

      Set objUser = _
        GetObject("LDAP://" & objRecordSet.Fields("distinguishedName").Value)

      Err.Clear
      Set objMailboxSD = objUser.MailboxRights
      Set objDACL = objMailboxSD.DiscretionaryAcl
      If Err.Number <> 0 Then
        ' Ignore It
      Else
        For Each objACE in objDACL
          If InStr(1, objACE.Trustee, strSearchString, VbTextCompare) Then
            WScript.Echo "Found In Mailbox ACL: " & objUser.Name
          End If
        Next
      End If
      On Error Goto 0
    End If

    objRecordSet.MoveNext
  Wend
  objConnection.Close

  Set objRecordSet = Nothing
  Set objCommand = Nothing
  Set objConnection = Nothing
End Sub

'
' Main Code
'

Dim strSearchString

SortArgv

WScript.Echo "Search String: " & strSearchString

SearchAD

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

NTFS, WMI, VbScript & listing explicit rights

Chris — Wed, 22 Oct 2008 15:04:02 +0000

This script uses WMI to enumerate each access control entry in an NTFS access control list, looking for explicit entries, that is, entries that are not inherited.

If SECURITY_PRINCIPAL is blank the script will return all explicit rights beneath granted from base path down. The script attempts to provide a summary for common rights.

The PowerShell version of this script is considerably better for granular reporting of rights assigned. This one is more of a demonstration of security descriptor enumeration.

Option Explicit

' Looks for a Trustee containing the SECURITY_PRINCIPAL string on
' the file system. Recurses from BASE_PATH down (file and folders).

' Set these values for the search.

Const BASE_PATH = "C:\"
Const SECURITY_PRINCIPAL = "Chris"

Sub FSRecurse(strPath)
  ' Simple FS recursion

  Dim objFolder, objFile, objSubFolder

  Set objFolder = objFileSystem.GetFolder(strPath)

  For Each objFile in objFolder.Files
    CheckDescriptor objFile.Path
  Next
  For Each objSubFolder in objFolder.SubFolders
    CheckDescriptor objSubFolder.Path

    FSRecurse objSubFolder.Path
  Next

  Set objFolder = Nothing
End Sub

Sub CheckDescriptor(strPath)
  ' Look for the Trustee in the Security Descriptor and filter out
  ' inherited ACEs

  Const ACE_FLAG_INHERITED = &H10 ' 16

  Dim objSecuritySettings, objSecurityDescriptor, objACE, objTrustee

  Set objSecuritySettings = objWMIService.Get _
    ("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
  objSecuritySettings.GetSecurityDescriptor objSecurityDescriptor

  For Each objACE in objSecurityDescriptor.dACL
    If InStr(1, objACE.Trustee.Name, _
        SECURITY_PRINCIPAL, VbTextCompare) > 0 Then

      ' ACEFlags is binary. Must perform binary comparison.
      If objACE.ACEFlags And ACE_FLAG_INHERITED Then
        ' Problems with negation of the above.
        ' This is just easier.
      Else
        EnumAccess strPath, objACE
      End If
    End If
  Next
End Sub

Sub EnumAccess(strPath, objACE)
  ' Most access mask values have matching Folder versions. These are not
  ' numerically different, they only differ when interpreted.

  ' ACE Type

  Const ACCESS_ALLOWED_ACE_TYPE = &h0
  Const ACCESS_DENIED_ACE_TYPE  = &h1

  ' Base Access Mask values

  Const FILE_READ_DATA = &h1
  Const FILE_WRITE_DATA = &h2
  Const FILE_APPEND_DATA = &h4
  Const FILE_READ_EA = &h8
  Const FILE_WRITE_EA = &h10
  Const FILE_EXECUTE = &h20
  Const FILE_DELETE_CHILD = &h40
  Const FILE_READ_ATTRIBUTES = &h80
  Const FILE_WRITE_ATTRIBUTES = &h100
  Const FOLDER_DELETE = &h10000
  Const READ_CONTROL = &h20000
  Const WRITE_DAC = &h40000
  Const WRITE_OWNER = &h80000
  Const SYNCHRONIZE = &h100000

  ' Constructed Access Masks

  Dim FULL_CONTROL
  FULL_CONTROL = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _
    FILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + FILE_DELETE_CHILD + _
    FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + _
    READ_CONTROL + WRITE_DAC + WRITE_OWNER + SYNCHRONIZE

  Dim READ_ONLY
  READ_ONLY = FILE_READ_DATA + FILE_READ_EA + FILE_EXECUTE + _
    FILE_READ_ATTRIBUTES + READ_CONTROL + SYNCHRONIZE

  Dim MODIFY
  MODIFY = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _
    FILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + _
    FILE_READ_ATTRIBUTES + _
    FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + READ_CONTROL + SYNCHRONIZE

  Dim strRights
  Dim intAccessMask

  WScript.Echo "Path: " & strPath
  WScript.Echo "Username: " & objACE.Trustee.Name
  WScript.Echo "Domain: " & objACE.Trustee.Domain
  WScript.Echo "ACE Flags (Decimal): " & objACE.ACEFlags

  ' ACE Type

  If objACE.ACEType = ACCESS_ALLOWED_ACE_TYPE Then
    WScript.Echo "ACE Type: Allow"
  Else
    WScript.Echo "ACE Type: Deny"
  End If

  ' Attempt to generate a basic summary of access rights

  strRights = ""
  intAccessMask = objACE.AccessMask

  If intAccessMask = FULL_CONTROL Then
    strRights = " (FullControl)"
  ElseIf intAccessMask = MODIFY Then

    strRights = " (Modify)"
  ElseIf intAccessMask = READ_ONLY Then
    strRights = " (ReadOnly)"
  End If

  ' Echo the decimal mask with any summarised rights

  WScript.Echo "Access Mask (Decimal): " & intAccessMask & strRights

  WScript.Echo
End Sub

'
' Main code block
'

Dim objFileSystem, objWMIService

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
' WMI Connection to the local machine
Set objWMIService = GetObject("winmgmts:\\.")

FSRecurse BASE_PATH

Set objWMIService = Nothing
Set objFileSystem = Nothing

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

NTFS, PowerShell, Get-ACL & listing explicit rights

Chris — Wed, 22 Oct 2008 11:50:56 +0000

A short script to list explicit rights assigned to a directory structure. It uses the recursive option of ls (an Alias for Get-ChildItem) to drop down through the directory structure.

There are lots of little programs around that can do exactly the same thing, probably quite a few more efficiently than this.

The match is not case sensitive. If the value for $SecurityPrincipal is left blank the script will return all explicitly assigned rights.

# Uses match, either a specific user / group or blank for all explicit rights
$SecurityPrincipal = "chris"
# The starting point
$BasePath = "C:\"

# An array to hold the data returned
$ExplicitRights = @()
ForEach ($DirEntry in (ls -r $BasePath)) {
  # Add an entry to the report where it matches the criteria set in the ? pipe

  $ExplicitRights += (Get-ACL -Path $DirEntry.FullName).Access `
    | Select-Object @{n="Path";e={($DirEntry.FullName)}}, `
      FileSystemRights,IsInherited,IdentityReference `
    | ?{ ((($_.IdentityReference.Value) -match $SecurityPrincipal) -and `
      ($_.IsInherited -eq $False))}
}
# Write the array to the screen. Piping into Export-CSV should work as well
$ExplicitRights

Get-DsAcl The goal of this PowerShell function is to create a...
Limit recursion depth with Get-ChildItem A PowerShell function that allows directory recursion to a specified...

Related posts brought to you by Yet Another Related Posts Plugin.