Closed RobinBeismann closed 1 month ago
This looks like a PS7 bug when run inside a runspace
You can do this as workaround and I suggest to open a bug to Powershell
Add-PodeSchedule -Name 'ACLGroups' -Cron '@hourly' -OnStart -ScriptBlock {
# Define the C# code
$csCode = @"
using System;
using System.IO;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Collections.Generic;
public class AclHelper
{
public static string GetAcl(string path)
{
try
{
FileSystemSecurity security = null;
if (File.Exists(path))
{
FileInfo fileInfo = new FileInfo(path);
security = fileInfo.GetAccessControl();
}
else if (Directory.Exists(path))
{
DirectoryInfo directoryInfo = new DirectoryInfo(path);
security = directoryInfo.GetAccessControl();
}
else
{
return "Path not found.";
}
var owner = security.GetOwner(typeof(NTAccount)).ToString();
var rules = security.GetAccessRules(true, true, typeof(NTAccount));
List<string> aclDetails = new List<string>();
aclDetails.Add("Owner: " + owner);
foreach (FileSystemAccessRule rule in rules)
{
aclDetails.Add($"{rule.IdentityReference.Value} {rule.AccessControlType} {rule.FileSystemRights}");
}
return string.Join("\n", aclDetails);
}
catch (Exception ex)
{
return "Error: " + ex.Message;
}
}
}
"@
# Add the C# code to the PowerShell session
Add-Type -TypeDefinition $csCode -Language CSharp
# Get the ACL information
$aclInfo = [AclHelper]::GetAcl($path)
Write-PodeHost -Object $aclInfo -Explode -ShowType -Label "Acl"
}
Thanks, I'll have to rewrite that for DirectoryServices ACLs but that should do. I'll prepare an example for runspaces and ACLs and open a bug over at the PowerShell.
Question
I'm trying to build a frontend for AD Group Management and for that I want to parse the AD ACLs on a schedule. I've already done this outside Pode and it works fine. However in Pode (on PS7), I do get an empty ACL object for whatever I try to query. Interesting enough, if I run the
Get-Acl
in PS7 outside Pode, it works fine.Reproduce
Outside Pode:
Inside Pode:
Test Code: Result:
Additional information
I found this issue which sounds related, but even loading it doesn't solve it: https://github.com/PowerShell/PowerShell/issues/18896 I tried calling the
DirectoryServices
Class to use its'objectSecurity
property, but that is also empty in Pode while it works outside:$DSObject = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://$($ADGroup.DistinguishedName)")
Any idea what's going out there?