I want to check whether a given user has access to a given folder - by checking if they have "Modify" access assigned to them.
我想检查给定用户是否可以访问给定文件夹 - 通过检查他们是否具有分配给他们的“修改”访问权限。
I thought that the PS for that would be:
我认为PS的原因是:
(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{$_.filesystemrights.value -contains "Modify"}
But the final part of that isn't working - I get back no result. But I know that they have Modify access - if I put in:
但最后一部分不起作用 - 我没有结果。但我知道他们有修改权限 - 如果我输入:
(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} | select -ExpandProperty filesystemrights
then I get back:
然后我回来了:
Modify, Synchronize
ReadAndExecute, Synchronize
Is this because the FileSystemRights property is an enumeration? And if so, how do I test against it?
这是因为FileSystemRights属性是枚举吗?如果是这样,我该如何测试呢?
3 个解决方案
#1
3
It's a type problem. (Get-Acl .\myfolder).Access[].FileSystemRights is of type System.Security.AccessControl.FileSystemRights. It's not really displaying a string. To make it a string, just use the ToString() method:
这是一个类型问题。 (Get-Acl。\ myfolder)。访问[] .FileSystemRights的类型为System.Security.AccessControl.FileSystemRights。它并没有真正显示字符串。要使它成为一个字符串,只需使用ToString()方法:
(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{$_.filesystemrights.ToString() -contains "Modify"}
Or you can use the bitwise comparison method. However, it's very easy to confuse when you want to use this:
或者您可以使用按位比较方法。但是,当您想要使用它时,很容易混淆:
($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq [System.Security.AccessControl.FileSystemRights]::Modify
With when you want to use this:
当你想要使用它时:
($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq $_.FileSystemRights
They have very different meanings. For example, if you have Full Control, the former test is still true. Is that what you want? Or do you want to know when the FileSystemRights are literally just Modify?
它们有着截然不同的含义。例如,如果您具有完全控制,则前一个测试仍然是正确的。那是你要的吗?或者您想知道FileSystemRights何时只是修改?
Also, [System.Security.AccessControl.FileSystemRights] is an incomplete enumeration. In my environment, I found I needed this table:
此外,[System.Security.AccessControl.FileSystemRights]是一个不完整的枚举。在我的环境中,我发现我需要这个表:
+-------------+------------------------------+------------------------------+
| Value | Name | Alias |
+-------------+------------------------------+------------------------------+
| -2147483648 | GENERIC_READ | GENERIC_READ |
| 1 | ReadData | ListDirectory |
| 1 | ReadData | ReadData |
| 2 | CreateFiles | CreateFiles |
| 2 | CreateFiles | WriteData |
| 4 | AppendData | AppendData |
| 4 | AppendData | CreateDirectories |
| 8 | ReadExtendedAttributes | ReadExtendedAttributes |
| 16 | WriteExtendedAttributes | WriteExtendedAttributes |
| 32 | ExecuteFile | ExecuteFile |
| 32 | ExecuteFile | Traverse |
| 64 | DeleteSubdirectoriesAndFiles | DeleteSubdirectoriesAndFiles |
| 128 | ReadAttributes | ReadAttributes |
| 256 | WriteAttributes | WriteAttributes |
| 278 | Write | Write |
| 65536 | Delete | Delete |
| 131072 | ReadPermissions | ReadPermissions |
| 131209 | Read | Read |
| 131241 | ReadAndExecute | ReadAndExecute |
| 197055 | Modify | Modify |
| 262144 | ChangePermissions | ChangePermissions |
| 524288 | TakeOwnership | TakeOwnership |
| 1048576 | Synchronize | Synchronize |
| 2032127 | FullControl | FullControl |
| 268435456 | GENERIC_ALL | GENERIC_ALL |
| 536870912 | GENERIC_EXECUTE | GENERIC_EXECUTE |
| 1073741824 | GENERIC_WRITE | GENERIC_WRITE |
+-------------+------------------------------+------------------------------+
It's interesting to compare the output of these:
比较这些输出很有意思:
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]);
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) | % { "$($_.ToString())`t`t$([System.Security.AccessControl.FileSystemRights]$_.ToString())`t`t$(([System.Security.AccessControl.FileSystemRights]$_).value__)";}
[System.Enum]::GetValues([System.Security.AccessControl.FileSystemRights]) | % { "$($_.ToString())`t`t$(($_).value__)";}
The GENERIC rights are not enumerated in the .Net class, but you will see that numeric value if you enumerate enough files.
GENERIC权限不在.Net类中枚举,但如果枚举足够的文件,您将看到该数值。
Good luck!
祝你好运!
#2
2
Got it:
得到它了:
(get-acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} | ?{($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq [System.Security.AccessControl.FileSystemRights]::Modify}
It's both a bitwise comparison - and therefore you need to use "-band".
这是一个按位比较 - 因此你需要使用“-band”。
But "-band" will return true if any of the same bits are set in both enumerations. And as even "Read" has several bits set (it's 100000000010001001) - some of which will match with "Modify", you need to also compare the result with "Modify" to make sure that the result is actually the same.
但是,如果在两个枚举中设置了相同的位,则“-band”将返回true。因为即使“读取”设置了几个位(它是100000000010001001) - 其中一些将与“修改”匹配,您还需要将结果与“修改”进行比较,以确保结果实际上是相同的。
(Thanks to the comments below for getting me pointed in the right direction.)
(感谢下面的评论让我指出了正确的方向。)
#3
0
Updated new version.
更新了新版本。
Clarified version from Arco's comment.
来自Arco评论的澄清版本。
With this version we're checking if the Modify bit is set.
在这个版本中,我们检查是否设置了修改位。
(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{ $_.FileSystemRights -band [Security.AccessControl.FileSystemRights]::Modify}
The value__ property is the numeric bit set version.
value__属性是数字位集版本。
#1
3
It's a type problem. (Get-Acl .\myfolder).Access[].FileSystemRights is of type System.Security.AccessControl.FileSystemRights. It's not really displaying a string. To make it a string, just use the ToString() method:
这是一个类型问题。 (Get-Acl。\ myfolder)。访问[] .FileSystemRights的类型为System.Security.AccessControl.FileSystemRights。它并没有真正显示字符串。要使它成为一个字符串,只需使用ToString()方法:
(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{$_.filesystemrights.ToString() -contains "Modify"}
Or you can use the bitwise comparison method. However, it's very easy to confuse when you want to use this:
或者您可以使用按位比较方法。但是,当您想要使用它时,很容易混淆:
($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq [System.Security.AccessControl.FileSystemRights]::Modify
With when you want to use this:
当你想要使用它时:
($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq $_.FileSystemRights
They have very different meanings. For example, if you have Full Control, the former test is still true. Is that what you want? Or do you want to know when the FileSystemRights are literally just Modify?
它们有着截然不同的含义。例如,如果您具有完全控制,则前一个测试仍然是正确的。那是你要的吗?或者您想知道FileSystemRights何时只是修改?
Also, [System.Security.AccessControl.FileSystemRights] is an incomplete enumeration. In my environment, I found I needed this table:
此外,[System.Security.AccessControl.FileSystemRights]是一个不完整的枚举。在我的环境中,我发现我需要这个表:
+-------------+------------------------------+------------------------------+
| Value | Name | Alias |
+-------------+------------------------------+------------------------------+
| -2147483648 | GENERIC_READ | GENERIC_READ |
| 1 | ReadData | ListDirectory |
| 1 | ReadData | ReadData |
| 2 | CreateFiles | CreateFiles |
| 2 | CreateFiles | WriteData |
| 4 | AppendData | AppendData |
| 4 | AppendData | CreateDirectories |
| 8 | ReadExtendedAttributes | ReadExtendedAttributes |
| 16 | WriteExtendedAttributes | WriteExtendedAttributes |
| 32 | ExecuteFile | ExecuteFile |
| 32 | ExecuteFile | Traverse |
| 64 | DeleteSubdirectoriesAndFiles | DeleteSubdirectoriesAndFiles |
| 128 | ReadAttributes | ReadAttributes |
| 256 | WriteAttributes | WriteAttributes |
| 278 | Write | Write |
| 65536 | Delete | Delete |
| 131072 | ReadPermissions | ReadPermissions |
| 131209 | Read | Read |
| 131241 | ReadAndExecute | ReadAndExecute |
| 197055 | Modify | Modify |
| 262144 | ChangePermissions | ChangePermissions |
| 524288 | TakeOwnership | TakeOwnership |
| 1048576 | Synchronize | Synchronize |
| 2032127 | FullControl | FullControl |
| 268435456 | GENERIC_ALL | GENERIC_ALL |
| 536870912 | GENERIC_EXECUTE | GENERIC_EXECUTE |
| 1073741824 | GENERIC_WRITE | GENERIC_WRITE |
+-------------+------------------------------+------------------------------+
It's interesting to compare the output of these:
比较这些输出很有意思:
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]);
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) | % { "$($_.ToString())`t`t$([System.Security.AccessControl.FileSystemRights]$_.ToString())`t`t$(([System.Security.AccessControl.FileSystemRights]$_).value__)";}
[System.Enum]::GetValues([System.Security.AccessControl.FileSystemRights]) | % { "$($_.ToString())`t`t$(($_).value__)";}
The GENERIC rights are not enumerated in the .Net class, but you will see that numeric value if you enumerate enough files.
GENERIC权限不在.Net类中枚举,但如果枚举足够的文件,您将看到该数值。
Good luck!
祝你好运!
#2
2
Got it:
得到它了:
(get-acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} | ?{($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Modify) -eq [System.Security.AccessControl.FileSystemRights]::Modify}
It's both a bitwise comparison - and therefore you need to use "-band".
这是一个按位比较 - 因此你需要使用“-band”。
But "-band" will return true if any of the same bits are set in both enumerations. And as even "Read" has several bits set (it's 100000000010001001) - some of which will match with "Modify", you need to also compare the result with "Modify" to make sure that the result is actually the same.
但是,如果在两个枚举中设置了相同的位,则“-band”将返回true。因为即使“读取”设置了几个位(它是100000000010001001) - 其中一些将与“修改”匹配,您还需要将结果与“修改”进行比较,以确保结果实际上是相同的。
(Thanks to the comments below for getting me pointed in the right direction.)
(感谢下面的评论让我指出了正确的方向。)
#3
0
Updated new version.
更新了新版本。
Clarified version from Arco's comment.
来自Arco评论的澄清版本。
With this version we're checking if the Modify bit is set.
在这个版本中,我们检查是否设置了修改位。
(Get-Acl .\myfolder).Access | ?{$_.IdentityReference -eq "BUILTIN\Users"} |?{ $_.FileSystemRights -band [Security.AccessControl.FileSystemRights]::Modify}
The value__ property is the numeric bit set version.
value__属性是数字位集版本。