Get ACL of all folders in shares

Question

Have script that pulls the ACL of all of the folders in network shares on my my server (minus admin shares). Seems to work but the output is giving me some numbers rather than the permissions and I don't understand what the number means and better yet how do I translate them to regular permissions (FC, RO, etc.)

$shares = Get-SmbShare | Where-Object Name -notlike "*$" | Select-Object Name

$Report = @()
foreach ($share in $shares){
   $path = "\\$env:COMPUTERNAME\" + $share.Name.ToString()
   $FolderPath = dir -Directory -Path $path -Recurse -Force
   Foreach ($Folder in $FolderPath) {
      $Acl = Get-Acl -Path $Folder.FullName
      foreach ($Access in $acl.Access)
      {
         $Properties = [ordered]@{
            'FolderName'=$Folder.FullName;
            'ADGroup or User'=$Access.IdentityReference;
            'Permissions'=$Access.FileSystemRights;
            'Inherited'=$Access.IsInherited}
         $Report += New-Object -TypeName PSObject -Property $Properties
      }
   }
}
$Report | Export-Csv -path "C:\temp\FolderPermissions.csv"

Here is some of the output that I get (trimmed a bit to keep it short)

"FolderName","ADGroup or User","Permissions","Inherited"
"\\WIN-RPK9O6GR3JM\foobar\STE","NT AUTHORITY\SYSTEM","FullControl","True"
...
"\\WIN-RPK9O6GR3JM\foobar\STE","CREATOR OWNER","268435456","True"
"\\WIN-RPK9O6GR3JM\foobar\STE\LOG","BUILTIN\Users","CreateFiles","True"
"\\WIN-RPK9O6GR3JM\foobar\STE\LOG","CREATOR OWNER","268435456","True"
...
"\\WIN-RPK9O6GR3JM\foobar\STE\TMP","BUILTIN\Users","CreateFiles","True"
"\\WIN-RPK9O6GR3JM\foobar\STE\TMP","CREATOR OWNER","268435456","True"
...
"\\WIN-RPK9O6GR3JM\SYSVOL\foobar.net","NT AUTHORITY\Authenticated Users","-1610612736","True"
...
"\\WIN-RPK9O6GR3JM\SYSVOL\foobar.net","BUILTIN\Administrators","-536084480","True"

If anyone can explain or point me in the right direction on what these values are and how I translate them I would be most grateful.

TIA!

These are all built in super users in particular to specific authorization. For example: NT AUTHORITY is the most powerful account on a Windows local instance (More powerful than any admin account). — Ranadip Dutta, May 16 '19 at 04:54
I know that. The question is what do the numbers in the permissions actually mean (I think I figured that 268435456 is 'Full Control' but -1610612736 and -536084480 are still a mystery. Also I am sure that these are not the only ones so if there is a way to translate those numeric masks into words I would love to do it to make my script better. — Jose Cintron, May 16 '19 at 05:03
Modify, Delete and Full Control I think... Just check [THIS Link](https://social.technet.microsoft.com/Forums/Azure/en-US/cb822c55-9f96-48e6-9c60-ca64ed13ef94/what-is-the-diference-between-acl-access-rule-quot268435456quot-and-quotfullcontrolquot?forum=winserverpowershell). See if this helps — Ranadip Dutta, May 16 '19 at 05:06
268435456 - FullControl -536805376 - Modify, Synchronize -1610612736 - ReadAndExecute, Synchronize — Ranadip Dutta, May 16 '19 at 05:19
Thanks @RanadipDutta that does answer the question. Based on the [Access Control Mask](https://learn.microsoft.com/en-us/windows/desktop/SecAuthZ/access-mask-format) -536805376 is more than Mod, Sync. It is Generic_ALL + Access_SACL + ALL_STD_AccessRights. In any case many, many thanks for the help. — Jose Cintron, May 16 '19 at 05:44

score 1 · Accepted Answer · answered May 16 '19 at 05:26

1

This is so far I have gotten to help you out:

268435456 - FullControl

-536805376 - Modify, Synchronize

-1610612736 - ReadAndExecute, Synchronize

But go through the links to relate all of them :

Link 1

Link 2

Link 3

Hope it helps you.

answered May 16 '19 at 05:26

Ranadip Dutta

8,857
3
29
45

Factually wrong, even though the _meaning_ of the access masks (the numeric values) corresponds to the enum members. Tell me, if 0x10000000 == 268435456, but `FullControl` is defined as 0x1F01FF, how comes? The answer: the `FileSystemRights` enum only cares about the standard access mask and ignores the generic access mask. But 0x10000000 (== `GENERIC_ALL`) is a perfectly valid value, too. Use `MapGenericMask` to convert from generic to standard access mask. But don't pretend they're the same. They aren't! – 0xC0000022L Jun 16 '21 at 16:16

Get ACL of all folders in shares

1 Answers1