PowerShell Remoting Project Home

Monday, June 12, 2006

What Access Rights Do You Have?

A PowerShell script to check User/Group access rights on FileSystem and Registry.

Yesterday, I was reading post on Mark's Sysinternals Blog: The Power in Power Users. It says "a user that belongs to the Power Users group can easily elevate themselves to fully-privileged administrators". He used a tool called AccessChk to find out what access rights does "Power User" group have.

If you read my serise posts on access control list in monad.  you will find out that we can get/set access rule in PowerShell directly without using extra tools. So I wrote a PowerShell script (Check-AccessRights.ps1) to get similar function as AccessChk. It is pretty dirty, but dose the job. You may want to try
D:\ps1\Check-AccessRights.ps1 .\
# Check your access rights on current path (could be filesystem or registry)
or
D:\ps1\Check-AccessRights.ps1 HKLM:\sytem\CurrentControlSet\Services $true "Power Users"
# HKLM:\sytem\CurrentControlSet\Services is Path to check
# $true is to get child object ACL recursively
# "Power Users" is user/group
Be prepared if you use -Recurse option ($true), you may want to redirect results to a file.
#################################################################
#
# File: Check-AccessRights.ps1
# Author: Tony (http://MSHForFun.blogspot.com/)
# Parameters:
#    $Path:  PowerShell Path (for example, c:\ or HKLM:\)
#    $Recurse: Check child object recursively
#    $Account: User name / Group (for example, "domain\alice",
#               "Power Users")
#
################################################################
param([string] $Path = {throw "Please specify a path"}, [bool] $Recurse = $false, [string] $Account)
if (-not (test-path $Path))
{
    $Path + " not exists!"
    return
}
if ([string]::ISNullOrEmpty($Account))
{
    $SID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).Owner
}
else
{
    $SID = (new-object System.Security.Principal.NTAccount($Account)).Translate([System.Security.Principal.SecurityIdentifier])
    if ($SID -eq $null) {return}
}
"Account: " + $SID.ToString()
"Path: " + $Path
$AccessRules = (get-acl $Path).Access
if ($AccessRules -eq $null)
{
    "Can't get access rules!"
    return
}
$AccessRules|foreach-object {
    $CurrentSID = $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
    if ($CurrentSID.ToString() -eq $SID.ToString())
    {
        $_
    }
}
if ($Recurse)
{
    Get-ChildItem $Path -Recurse| foreach {
        "========================================"
        "Child Path: " + $_.ToString()
        $AccessRules = (get-acl $Path).Access
        if ($AccessRules -eq $null)
        {
            "Can't get access rules!"
            return
        }
        $AccessRules|foreach-object {
            $CurrentSID = $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
            if ($CurrentSID.ToString() -eq $SID.ToString())
            {
              $_
            }
        }
    }
}

Have Fun

Tags:       


Comments:
buy wow gold,cheap wow gold,wow power leveling.
09.05.11
 
Online poker free signup poker bankrolls is a very attractive
poker sign up bonuses it's all possible duration.
giving money from pokerroom with no deposit bonus and found you very morale player.
As a friendly propriet instant poker bonus - Poker online no deposit $35 bonus promotion.
bonus for CD Poker is quite no need deposit free bankrolls so stronger than any internet bonuses for poker.
well you may be take free Poker cash ane $50 bonuses.
good little free signup poker bankrolls as download soft.
 

Post a Comment





<< Home