使用Get-Acl我试图获取文件夹的访问权限.问题是,对于某些组,我得到一个数字而不是访问类型.示例如下:
get-acl "C:\TestFolder" | % {$_.access}
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : TestDomain\Support
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
有没有办法将这个号码翻译成它的名字?
Ans*_*ers 12
该FileSystemRights属性的值是无符号的32位整数,其中每个位表示特定的访问权限.除了"通用"权限(位28-31)和访问SACL(位23)的权限之外,大多数权限都列在Win32_ACE类文档中.更多细节可以在这里和这里找到.
如果要将ACE访问掩码分解为其特定的访问权限(vulgo"扩展权限"),您可以执行以下操作:
$accessMask = [ordered]@{
[uint32]'0x80000000' = 'GenericRead'
[uint32]'0x40000000' = 'GenericWrite'
[uint32]'0x20000000' = 'GenericExecute'
[uint32]'0x10000000' = 'GenericAll'
[uint32]'0x02000000' = 'MaximumAllowed'
[uint32]'0x01000000' = 'AccessSystemSecurity'
[uint32]'0x00100000' = 'Synchronize'
[uint32]'0x00080000' = 'WriteOwner'
[uint32]'0x00040000' = 'WriteDAC'
[uint32]'0x00020000' = 'ReadControl'
[uint32]'0x00010000' = 'Delete'
[uint32]'0x00000100' = 'WriteAttributes'
[uint32]'0x00000080' = 'ReadAttributes'
[uint32]'0x00000040' = 'DeleteChild'
[uint32]'0x00000020' = 'Execute/Traverse'
[uint32]'0x00000010' = 'WriteExtendedAttributes'
[uint32]'0x00000008' = 'ReadExtendedAttributes'
[uint32]'0x00000004' = 'AppendData/AddSubdirectory'
[uint32]'0x00000002' = 'WriteData/AddFile'
[uint32]'0x00000001' = 'ReadData/ListDirectory'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$permissions = $accessMask.Keys |
Where-Object { $fileSystemRights.value__ -band $_ } |
ForEach-Object { $accessMask[$_] }
简单的权限FullControl,Modify,ReadAndExecute等都是这些扩展权限只是特定组合.ReadAndExecute例如,是以下扩展权限的组合:
ReadData/ListDirectoryExecute/TraverseReadAttributesReadExtendedAttributesReadControl所以访问掩码ReadAndExecute的值为131241.
如果您希望结果是简单权限和剩余扩展权限的组合,您可以执行以下操作:
$accessMask = [ordered]@{
...
}
$simplePermissions = [ordered]@{
[uint32]'0x1f01ff' = 'FullControl'
[uint32]'0x0301bf' = 'Modify'
[uint32]'0x0200a9' = 'ReadAndExecute'
[uint32]'0x02019f' = 'ReadAndWrite'
[uint32]'0x020089' = 'Read'
[uint32]'0x000116' = 'Write'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$fsr = $fileSystemRights.value__
$permissions = @()
# get simple permission
$permissions += $simplePermissions.Keys | ForEach-Object {
if (($fsr -band $_) -eq $_) {
$simplePermissions[$_]
$fsr = $fsr -band (-bnot $_)
}
}
# get remaining extended permissions
$permissions += $accessMask.Keys |
Where-Object { $fsr -band $_ } |
ForEach-Object { $accessMask[$_] }
| 归档时间: |
|
| 查看次数: |
6305 次 |
| 最近记录: |