Home > PowerShell > Validating folder permissions

Validating folder permissions


After a short discussion with my excellent IT guys here in the office we came up with a requirement for a script which would allow us to check a set of folders for certain permissions. Specifically we needed to check if a certain account had explicit permissions set on a series of shared folders.

After I wrote the script I realized that – with some small tweaks – this script could be fairly flexible and quite useful. I wrote the script as Test-FolderACL.ps1 and the code is below:

param
(
   $path,
   $checkType = "",
   $recurse = $false
)

dir $path -Recurse:$recurse | ? {$_.PSIsContainer} | % {
   $folderName = $_.FullName

   try
   {
      $acl = Get-Acl $folderName -ErrorAction SilentlyContinue

      $acl.Access | % {
         if (($checkType -eq "") -or ($checkType -eq $_.IdentityReference))
         {
            "'$folderName' has $($_.IdentityReference) access at level: $($_.FileSystemRights)"
         }
      }
   }
   catch
   {
   }
}

The script takes three parameters: a path where it should start to look for folders, an optional account to look for in the permissions and an optional flag to allow for folder recursion. Have a play with it – it only reports what it finds, so there is no chance that it could damage your machine. As always, here are a couple of hints based on the code in the script:

Filtering collections

To ensure the selection only uses folders, I use a Where-Object command (shortened to it’s “?” alias) to filter the results so it only returns objects which have PowerShell’s PSIsContainer flag set. This flag is available in most, if not all, PowerShell providers such as file system and registry to indicate that the current item can contain subitems.

Getting security rights

Get-ACL is a command which allows you to see the Access Control List on the current file or folder, in the form of a .Net v3.5 System.Security.AccessControl.DirectorySecurity object. It contains a lot of useful information, but the data I particularly required for this script is in the Access property which allows me to see which accounts have specifically been given and denied access. This property returns a list of System.Security.AccessControl.FileSystemAccessRule objects, where the IdentityReference property gives you the account name, and the FileSystemRights property lists all the set security rights.

Boolean operators and “short-circuiting”

Remember that PowerShell, like some other languages, “short-circuits” boolean tests. Basically this means that once it can guarantee that the result of a comparison test is known, it stops evaluating the rest of the test. I use this feature to ensure that the script returns the output if you haven’t passed in an account to test for, as well as when the actual account matches one you have passed in. To see short-circuiting at work, try the following snippet of code:

$true -or $(Write-Host "foo";$false)
$false -or $(Write-Host "foo";$false)

You’ll see that if the -or operator receives a true it has to continue checking and “foo” is printed. If the first variable is false however, it stops as the output of the -or can now only be false.

Enjoy!
Chris.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: