使用Get-Acl 我正在尝试获取文件夹的访问权限。问题是,对于某些组,我得到一个数字而不是访问类型。示例如下:
get-acl "C:\TestFolder" | % {$_.access}
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : TestDomain\Support
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
有没有办法把这个数字翻译回它的名字?
【问题讨论】:
标签: powershell acl
FileSystemRights 属性的值是一个无符号的 32 位整数,其中每一位代表一个特定的访问权限。大多数权限都列在Win32_ACE class documentation 中,但“通用”权限(第 28-31 位)和访问 SACL 的权限(第 23 位)除外。更多详情请见here和here。
如果您想将 ACE 访问掩码分解为其特定的访问权限(即“扩展权限”),您可以执行以下操作:
$accessMask = [ordered]@{
[uint32]'0x80000000' = 'GenericRead'
[uint32]'0x40000000' = 'GenericWrite'
[uint32]'0x20000000' = 'GenericExecute'
[uint32]'0x10000000' = 'GenericAll'
[uint32]'0x02000000' = 'MaximumAllowed'
[uint32]'0x01000000' = 'AccessSystemSecurity'
[uint32]'0x00100000' = 'Synchronize'
[uint32]'0x00080000' = 'WriteOwner'
[uint32]'0x00040000' = 'WriteDAC'
[uint32]'0x00020000' = 'ReadControl'
[uint32]'0x00010000' = 'Delete'
[uint32]'0x00000100' = 'WriteAttributes'
[uint32]'0x00000080' = 'ReadAttributes'
[uint32]'0x00000040' = 'DeleteChild'
[uint32]'0x00000020' = 'Execute/Traverse'
[uint32]'0x00000010' = 'WriteExtendedAttributes'
[uint32]'0x00000008' = 'ReadExtendedAttributes'
[uint32]'0x00000004' = 'AppendData/AddSubdirectory'
[uint32]'0x00000002' = 'WriteData/AddFile'
[uint32]'0x00000001' = 'ReadData/ListDirectory'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$permissions = $accessMask.Keys |
Where-Object { $fileSystemRights.value__ -band $_ } |
ForEach-Object { $accessMask[$_] }
简单权限FullControl、Modify、ReadAndExecute 等只是这些扩展权限的特定组合。例如ReadAndExecute 是以下扩展权限的组合:
ReadData/ListDirectoryExecute/TraverseReadAttributesReadExtendedAttributesReadControl所以ReadAndExecute 的访问掩码的值为 131241。
如果您希望结果是简单权限和剩余扩展权限的组合,您可以执行以下操作:
$accessMask = [ordered]@{
...
}
$simplePermissions = [ordered]@{
[uint32]'0x1f01ff' = 'FullControl'
[uint32]'0x0301bf' = 'Modify'
[uint32]'0x0200a9' = 'ReadAndExecute'
[uint32]'0x02019f' = 'ReadAndWrite'
[uint32]'0x020089' = 'Read'
[uint32]'0x000116' = 'Write'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$fsr = $fileSystemRights.value__
$permissions = @()
# get simple permission
$permissions += $simplePermissions.Keys | ForEach-Object {
if (($fsr -band $_) -eq $_) {
$simplePermissions[$_]
$fsr = $fsr -band (-bnot $_)
}
}
# get remaining extended permissions
$permissions += $accessMask.Keys |
Where-Object { $fsr -band $_ } |
ForEach-Object { $accessMask[$_] }
【讨论】:
$fsr = $fsr -band (-bNOT $_) 中有错字。注意二进制 -bNOT 而不是逻辑 -not 。
【讨论】: