Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

PowerShell convert shared folder permissions SDDL to readable format

While working with shared folder permissions, I wanted to document access and permissions of folders in readable format in automation way with PowerShell, You can see the permissions with below command of a folder. Access and permissions are in SDDL format, not in user friendly format to read, it contents SIDs, and permissions in shortform.

The Security Descriptor Definition Language (SDDL) is a format that characterizes a security descriptor as a text string in Windows. It also indicates string elements to explain the data contained within the components of a security descriptor. 

$acl = Get-Acl -Path C:\Windows

$acl.Sddl
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)

To convert this SDDL to readable format use below command.

ConvertFrom-SddlString -Sddl $acl.Sddl

Owner            : NT SERVICE\TrustedInstaller
Group            : NT SERVICE\TrustedInstaller
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute,
                   GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes,
                   ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey),
                   BUILTIN\Administrators: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute,
                   GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes,
                   ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey),
                   BUILTIN\Users: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData,
                   ReadExtendedAttributes, ReadPermissions, Synchronize), NT SERVICE\TrustedInstaller: AccessAllowed
                   (AppendData, ChangePermissions, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ExecuteKey,
                   FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite,
                   Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions,
                   Synchronize, TakeOwnership, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)…}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

Powershell file permissions convertFrom-SddlString share folder shared drive ntfs share permissions conversion.png

Although all the readable information is stored inside DiscretionaryAcl property, It is still not much in readable. To make it readable I am using below command.

(ConvertFrom-SddlString -Sddl $acl.Sddl).DiscretionaryAcl | foreach {$_ ; '-'*40}

NT AUTHORITY\SYSTEM: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute, GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
----------------------------------------
BUILTIN\Administrators: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute, GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
----------------------------------------
BUILTIN\Users: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize)
----------------------------------------
NT SERVICE\TrustedInstaller: AccessAllowed (AppendData, ChangePermissions, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ExecuteKey, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
----------------------------------------
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize)
----------------------------------------
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize)
----------------------------------------

Another way of using .net object API with PowerShell to read the Security Descriptor information. In below example I am reading Security winevent from event viewer and converting SDDL to readable format.

PS C:\Users> $eventSDDL = (Get-WinEvent -FilterHashtable @{LogName='Security';Id='4907'})[0].Properties[-3].Value
PS C:\Users>
PS C:\Users> $sddlObj = New-Object -TypeName System.Security.AccessControl.DirectorySecurity
PS C:\Users>
PS C:\Users> $sddlObj.SetSecurityDescriptorSddlForm($eventSDDL) #$sddlObj.GetSecurityDescriptorSddlForm($eventSDDL)
PS C:\Users> $sddlObj.Access

Powershell .net object set security descriptor sddl directorysecurity configuration share folder permissions winevent event viewer.png

Useful Article
How to Install and Use Microsoft PowerShell on Linux
Configure PowerShell remoting between Windows and Linux
Get-PSRepository WARNING Unable to find module repositories
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send
Creating an internal PowerShell module repository
How to sign PowerShell ps1 scripts
PowerShell Convert MAC address to Link-local address IPv6
PowerShell fix repair The trust relationship between this workstation and the primary domain failed
Resovled issue with PowerShell - Trust relationship Rejoin computers in domain without restart
PowerShell Invoke-WebRequest The request was aborted Could not create SSL TLS secure channel
PowerShell Invoke-WebRequest The underlying connection was closed: Could not establish trust relationship for the SSL TLS secure channel.

Go Back

Comment

Blog Search

Page Views

12383673

Follow me on Blogarama