1

We're trying to compare NTFS permissions for files or folders using the SDDL attribute. The only thing we're interested in is if the ACL is equal or not, by using the SDDL and not other methods like AccessToString or just comparing two plain ACL objects. This is because we had issues in the past with the standard way of doing this.

So, we now run against an issue where File1 and File2 have exactly the same permissions when checking the Advanced Permissions tab in Windows. However, the SDDL says it's not equal, although we take away the Owner O: part from the SDDL string as indicated here, as the owner doesn't interest us.

The code:

Function Test-ACLequal {
    Param (
        $Source,
        $Target
    )

    $CompParams = @{
        ReferenceObject  = Get-Acl -LiteralPath $Source
        PassThru         = $True
    }

    $CompParams.DifferenceObject = Get-Acl -LiteralPath $Target

    $AccessParams = @{
        ReferenceObject  = ($CompParams.ReferenceObject.sddl -split 'G:', 2 | Select -Last 1)
        DifferenceObject = ($CompParams.DifferenceObject.sddl -split 'G:', 2 | Select -Last 1)
        PassThru         = $True
    }

    if (Compare-Object @AccessParams) {
        Write-Verbose 'Test-ACLequalHC: Not equal'
        $false
    }
    else {
        Write-Verbose 'Test-ACLequalHC: Equal'
        $True
    }
}

Test-ACLequal -Source $File1-Target $File2

You can clearly see there is a difference between both files:

$AccessParams.ReferenceObject
DUD:(A;ID;FA;;;BA)(A;ID;0x1200a9;;;S-1-5-21-1078081533-261478967-839522115-243052)(A;ID;0x1301ff;;;S-1
-5-21-1078081533-261478967-839522115-280880)(A;ID;0x1301ff;;;S-1-5-21-1078081533-261478967-839522115-6
96733)(A;ID;0x1301ff;;;S-1-5-21-1078081533-261478967-839522115-696745)

$AccessParams.DifferenceObject
DUD:AI(A;ID;FA;;;BA)(A;ID;0x1200a9;;;S-1-5-21-1078081533-261478967-839522115-243052)(A;ID;0x1301ff;;;S
-1-5-21-1078081533-261478967-839522115-280880)(A;ID;0x1301ff;;;S-1-5-21-1078081533-261478967-839522115
-696733)(A;ID;0x1301ff;;;S-1-5-21-1078081533-261478967-839522115-696745)

Is there a way to compare files by using the SDDL without running into this issue?

DarkLite1
  • 13,637
  • 40
  • 117
  • 214

1 Answers1

1

Does using .Equals work for you here?

$sourceAcl = Get-Acl $source
$targetAcl = Get-Acl $target

if ($sourceAcl.sddl.Equals($targetAcl.sddl)) {
  # Do something
  ....
}

This includes the owner however. In your example where you're removing it, you're also converting the object to a string, so using Compare-Object isn't really necessary. I'm also not sure how safe the split you're using is. You could also do:

$sourceAcl = Get-Acl $source
$targetAcl = Get-Acl $target
$s = $sourceAcl.sddl -replace "^O:[^:]+:",""
$t = $targetAcl.sddl -replace "^O:[^:]+:",""

if ($s -eq $t) {
  # Do something
  ....
}
arco444
  • 22,002
  • 12
  • 63
  • 67
  • I was considering to use this `$CompParams.ReferenceObject.sddl -split '\(', 2 | Select -Last 1` – DarkLite1 Jul 03 '17 at 10:06
  • Actually using a split isn't the right thing to do at all, you need to strip that bit of the string altogether. I've updated the answer – arco444 Jul 03 '17 at 10:11
  • 1
    Modifying the sddl before checking it in general doesn't look like a sensible thing to do, it doesn't look like it's meant to be analysed with string processing. It would be a lot safer to leave the object intact and compare with the `.Equals()` method – arco444 Jul 03 '17 at 10:17
  • Then we compare the owner also, which we don't want. Tried your updated `replace` but it still reports a difference as the `DUD:AI` part is still there. – DarkLite1 Jul 03 '17 at 10:19
  • How have you determined that's not correct? Personally I would trust the response coming from the object over what is displayed in the GUI – arco444 Jul 03 '17 at 10:20