PowerShell Remoting Project Home

Monday, December 19, 2005

Play with ACL in MSH

Bookmark: Del.icio.us  |  furl.net  |  digg.com  |  YahooMyWeb  |  Spurl.net  |  Simpy.com  |  NewsVine.com  |  blinklist.com  |  reddit.com  |  Fark.com  |  connotea.org

I have a laptop running Windows XP home edition. As you known, to force you pay more money for professional edition, Mico$oft disabled the "Security" tab in file or directory "Properties" dialogue window. To set ACL, I have to use cacls.exe (come with windows). If you want more functionality, use setacl.exe (under GPL, you can download from sourceforge.org)

It is OK, if you just do adjustments for a few files. It becomes a tedious job, if you have lot of files or directories to modify. So let's give MSH a try.

There are two cmd-let designed for this job:
get-acl : Gets the access control list (ACL) associated with a file or object.
get-acl [[-Path] System.String[]] [[-Filter] System.String] [[-Include]
system.String[]] [[-Exclude] System.String[]] [[-Audit] [System.Boolean]]

set-acl: Set the security Access Control List for an item or items.
set-acl [-ACLObject] aclobject [-Path path]
[-Include include] [-Exclude exclude] [-Filter filter] [-Passthru]

But there is a trick here. In order to set group or set owner, you need an instance of [system.security.principal.ntaccount] object in hand.

#######################################
# Let's get acl for file text.txt
$acl=get-acl text.txt
$acl format-list

#You will get something like
#Path : FileSystem::D:\text.txt
#Owner : Computer\me
#Group : Computer\None
#Access : BUILTIN\Administrators Allow FullControl
# Computer\me Allow FullControl
#Audit :
#Sddl : Bla…Bla…Bla…

#So we can manipulate this acl object now. Let's try to change group to
# BUILTIN\Administrators.
#Get a [system.security.principal.ntaccount] object
$Account = new-object system.security.principal.ntaccount("Administrators ")

#To check whether the group is valid
$SID = $Account.translate([system.security.principal.securityidentifier])
$SID

#You will see
#BinaryLength AccountDomainSid Value
#------------ ---------------- -----
# 16 S-1-5-32-544
#If you see some error message here, you $Account is invalid.

#Use setgroup method of acl object
$acl.setgroup($Account)
$acl format-list

#You will get something like
#Path : FileSystem::D:\text.txt
#Owner : Computer\me
#Group : BUILTIN\Administrators (We made change here!!!!!!!!!!!!!!!)
#Access : BUILTIN\Administrators Allow FullControl
# Computer\me Allow FullControl
#Audit :
#Sddl : Bla…Bla…Bla…

#But this ACL object is in memory, we need to apply them to file
set-acl -aclobject $acl -path D:\text.txt

#make sure you have both -aclobject and -path, otherwise you will get some error.
###############################################

This scheme can be easily changed to modify directory acl or grant access to any user.
You can use get-member cmd-let to explore other methods or property of $acl. I will leave those excise to readers.

Reference
http://mow001.blogspot.com/2005/10/getting-and-using-securityprincipal.html

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]

Tags:       


# posted by Anonymous : 12/19/2005 11:26:00 PM
Comments:

Post a Comment





<< Home