2
votes

This is a simple question yet I could not find an answer on Google or here yet:

By using PowerShell or cmd (no third party stuff), how can I retrieve folder permissions in a way that allows me to differ between "List Folder Contents" and "ReadAndExecute"?

Right now when I execute Get-Acl on a folder, it returns the same permission level when a group grants only list access or read and execute. If I right click and go to Security tab, one group has "List folder contents" checked and another has "Read & Execute" checked, but both return "ReadAndExecute" with Get-Acl.

Pictures below:

group 1

group 2

Powershell just returns "ReadAndExecute" for both:

FileSystemRights : ReadAndExecute, Synchronize

AccessControlType : Allow

IdentityReference : group1

IsInherited : False

InheritanceFlags : ContainerInherit, ObjectInherit

PropagationFlags : None


FileSystemRights : ReadAndExecute, Synchronize

AccessControlType : Allow

IdentityReference : group2

IsInherited : False

InheritanceFlags : ContainerInherit

PropagationFlags : None

3
Still haven't found a solution to thisYuriW

3 Answers

1
votes

your answer is great but have just a little mistake. You're getting the wrong parameter at $inheritanceFlags variable at line 3. The below is correct:

foreach($access in (Get-Acl 'C:\Test').Access) {
    $filerights = $access.FileSystemRights.ToString();
    $inheritanceFlg = $access.InheritanceFlags.ToString();
    if($inheritanceFlg -eq 'ContainerInherit') {
        $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
    }
    $output = $access.IdentityReference.ToString() + ';' + $filerights;
    $output
}
0
votes
(get-Acl 'C:\Temp').Access

returns collection of System.Security.AccessControl.FileSystemAccessRule objects.

It has a FileSystemRights property of type System.Security.AccessControl.FileSystemRights. This is an enumeration and it can be checked for individual rights. For example (checking first access rule below):

((Get-Acl 'C:\Temp').Access[0].FileSystemRights -band
[System.Security.AccessControl.FileSystemRights]::ExecuteFile) -eq   
[System.Security.AccessControl.FileSystemRights]::ExecuteFile

ListDirectory, ExecuteFile, Read is what you may check to catch the difference in permissions.

More info: https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights(v=vs.110).aspx

0
votes

I was able to find a viable solution to this by myself after a while.

Even though PowerShell (or CMD or C#) always returns "ReadAndExecute" for both ListDirectory or actual ReadAndExecute permissions, the "InheritanceFlag" will always be "ContainerInherit" only when the permission is "ListDirectory". As such, checking this flag, you may find out which group grants only list permissions instead of read and execute.

I have implemented this check in PowerShell, which is working for all test cases so far:

foreach($access in (Get-Acl 'C:\test').Access) {
    $filerights = $access.FileSystemRights.ToString();
    $inheritanceFlg = $access.InheritanceFlags.ToString();
    if($inheritanceFlg -eq 'ContainerInherit') {
        $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
    }
    $output = $access.IdentityReference.ToString() + ';' + $filerights;
    $output
}