1

I need to try if a specific user has read or write acces on DFS Folder (to validate my DFS).

I am Admin on the domain and I have the credential of this user in $Credentials but Test-Path, Get-Item, New-Item do not accept the credential

Hugolpz
  • 17,296
  • 26
  • 100
  • 187
Alban
  • 3,105
  • 5
  • 31
  • 46
  • hello check ntfs perm for get-item must have "list folder content" permission , for new-item must have "modify" permission with get-acl command – Soheil Mar 23 '15 at 11:35
  • I nead a real test not juste check the right on End level (file), because good right a neaded on each parent directory. – Alban Mar 23 '15 at 17:08
  • dude check this `get-childitem "C:\windows\temp" -recurse | get-acl | Format-List` this simple code recursively give you permission if you something like this tell me i clear for you – Soheil Mar 23 '15 at 17:13

2 Answers2

2

Use Invoke-Command for running commands in the context of a different user:

$computer = 'localhost'
$cred     = Get-Credential

Invoke-Command -Computer $computer -Credential $cred -ScriptBlock {
  Param($path)

  if (Test-Path -LiteralPath $path) {
    New-Item -ItemType File "$path\your.txt"
  }
} -ArgumentList 'C:\some\folder'

You could also use Start-Job, but that would run the scriptblock in the background, so it'd mean more management overhead.

Another option, if everything else fails, might be runas.exe, although it may require some creative quoting:

& runas /user:DOM\username "powershell -Command \`"&{ New-Item 'C:\some\folder\your.txt' }`"\"

If you just need to check the permissions on a given folder without performing an action, you'd use Get-Acl:

Get-Acl 'C:\some\folder' |
  select -Expand Access |
  ? { $_.IdentityReference -like '*\username' }
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
  • my user are not autorized to use invoke-command (is juste domain user) – Alban Mar 23 '15 at 16:09
  • @Alban Without admin privileges you cannot impersonate other users. – Ansgar Wiechers Mar 23 '15 at 17:26
  • my personnal user acount is Admin but the user in $credential is just a simple user on a domain – Alban Mar 24 '15 at 10:14
  • I have good result with Start-Job but PS display many error on running process ([localhost] error on runing process in backgroup. Error : username or password incorrect. + CategoryInfo : OpenError: (localhost:String) [], PSRemotingTransportExc eption + FullyQualifiedErrorId : -2147467259,PSSessionStateBroken) – Alban Mar 24 '15 at 10:17
  • 1
    @Alban If `Invoke-Command` fails you could try `runas` instead (see updated answer). As for the error you got from the job: that indicates an authentication failure (username or password incorrect). Check your credentials. For further debugging you'd need to show the actual code causeing the error and provide more information about how the DFS folder is connected to the host where the code is run. – Ansgar Wiechers Mar 24 '15 at 11:59
  • runas is an alias as start-process and it works, thanks : Start-Process -Credential $cred -FilePath "powershell.exe" -ArgumentList 'whoami | out-file d:\your.txt' – Alban Mar 24 '15 at 12:44
1

instead check acl recursively, i use real write access with Start-Process and specific credential (start-process is an alias of runas). the process write a new file with $(whoami) content after ending process check if file exist and his content.

function test-Write ($folder)
    $WinCredential = Get-Credential -UserName "Domain\User" -Message "Login"
    Start-Process -WindowStyle Hidden -Wait -Credential $WinCredential -FilePath "powershell.exe" -ArgumentList "whoami | out-file '$folder\test.txt'"
    if ((get-content "$folder\test.txt") -like "Domain\User") {
       return 'OK'
    }
    return 'Erreur NTFS Access'
}
Alban
  • 3,105
  • 5
  • 31
  • 46