search

raandree / NTFSSecurity

Managing permissions with PowerShell is only a bit easier than in VBS or the command line as there are no cmdlets for most day-to-day tasks like getting a permission report or adding permission to an item. PowerShell only offers Get-Acl and Set-Acl but everything in between getting and setting the ACL is missing. This module closes the gap.
MIT License
431 stars 61 forks source link

List Folder Contents Permissions issue #13

Closed nickalleyne closed 7 years ago

nickalleyne commented 7 years ago

Hi there,

I have just begun using this module, and so far it has been working great, so thanks for putting it together.

The only issue I have run into so far, is that I cannot seem to properly set "List folder contents" as you would via the gui.

For example, if I choose a folder in the gui, and add a new user with only "List folder contents", then it applies via the gui and all seems to work as expected. If when running Get-NTFSAccess I see it shows "ReadAndExecute" + "Synchronize" (below output sanitized).

PS C:\Test> Get-NTFSAccess -Path .\User1\ -Account fileshare-list | fl

Name : User1 FullName : C:\Test\User1 InheritanceEnabled : True InheritedFrom : AccessControlType : Allow AccessRights : ReadAndExecute, Synchronize Account : Fileshare-List InheritanceFlags : ContainerInherit IsInherited : False PropagationFlags : None AccountType : group

But if I then go and re-add the same permissions (or delete and re-create), using ReadAndExecute, it gives ReadAndExecute (as expected).

I have tried adding just "ListDirectory" but then in the gui it shows "Special" which will confuse my helpdesk when they see it. I have also tried a number of other combinations of attributes, but nothing seems to get just the "List folder contents" box to be checked.

In case it changes anything, I am running on Windows 10 1703 (or 1704, cannot remember which) Creators Update. I have tried this both on local and network shares, and I get the same result.

Thanks again

raandree commented 7 years ago

The reason is that the enum that contains the access rights definitions has duplicate values:

#region function Get-Enum
function Get-Enum { 
    param (
        [type]$Type
    )

    [enum]::GetNames($Type) | 
    Select-Object -Property `
    @{ Name = 'Name'; Expression={ [string]$_ } },
    @{ Name = 'Value'; Expression={ [uint32](Invoke-Expression "[$($type.FullName)]'$_'") }},
    @{ Name = 'Binary'; Expression={[Convert]::ToString([uint32](Invoke-Expression "[$($type.FullName)]'$_'"), 2)}}
}
#endregion

Get-Enum -Type System.Security.AccessControl.FileSystemRights
Name                           Value Binary               
----                           ----- ------               
ListDirectory                      1 1                    
ReadData                           1 1                    
WriteData                          2 10                   
CreateFiles                        2 10                   
CreateDirectories                  4 100                  
AppendData                         4 100                  
ReadExtendedAttributes             8 1000                 
WriteExtendedAttributes           16 10000                
Traverse                          32 100000               
ExecuteFile                       32 100000               
DeleteSubdirectoriesAndFiles      64 1000000              
ReadAttributes                   128 10000000             
WriteAttributes                  256 100000000            
Write                            278 100010110            
Delete                         65536 10000000000000000    
ReadPermissions               131072 100000000000000000   
Read                          131209 100000000010001001   
ReadAndExecute                131241 100000000010101001   
Modify                        197055 110000000110111111   
ChangePermissions             262144 1000000000000000000  
TakeOwnership                 524288 10000000000000000000 
Synchronize                  1048576 100000000000000000000
FullControl                  2032127 111110000000111111111

I will look into this...

raandree commented 7 years ago

I guess the Explorer is cheating on us. I cannot really give just the right "ListDirectory", it always comes with "Read". I have removed everything from the access entry for some user except from "List folder content": image

Get-NTFSAccess returns this:

PS D:\Test> (Get-NTFSAccess -Account install).AccessRights
ReadAndExecute, Synchronize

And this is true if you look up the advanced security settings in the explorer: image

And here it is simply not possible to give someone just "List folder content". It always comes with "Read" and "Read & Execute". And ReadAndExecute (131241) is a compination of:

So, bottom line is, to achive what the Windows Explorer does, you want to do this:

Add-NTFSAccess -Path D:\Test -Account Install -AccessRights ReadAndExecute
nickalleyne commented 7 years ago

Thanks so much for looking into that. I can't believe I did not notice it when checking advanced and doing it manually via the GUI.

raandree commented 7 years ago

Great I could help. I am closing the issue then.

rodmhgl commented 7 years ago

My understanding is that List Folder Contents was just Read & Execute applied to Folders only.

JimBeam5 commented 3 years ago

My understanding is that List Folder Contents was just Read & Execute applied to Folders only.

This is correct, sorry for resurrecting an old issue but I ran across this problem today. To achieve what you're after you'd use the below...

Add-NTFSAccess "C:\Temp\Test Permissions" -Account "UserAccountOrGroup" -AccessRights "ReadAndExecute" -AppliesTo "ThisFolderAndSubfolders" -AccessType Allow -PassThru