-
Notifications
You must be signed in to change notification settings - Fork 204
/
Copy pathGet-FilMObjectPermissions.ps1
119 lines (105 loc) · 3.72 KB
/
Get-FilMObjectPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#Requires -Version 5.0
<#
.SYNOPSIS
Retrieves the permissions of a folder or file
.DESCRIPTION
.NOTES
This PowerShell script was developed and optimized for ScriptRunner. The use of the scripts requires ScriptRunner.
The customer or user is authorized to copy the script from the repository and use them in ScriptRunner.
The terms of use for ScriptRunner do not apply to this script. In particular, ScriptRunner Software GmbH assumes no liability for the function,
the use and the consequences of the use of this freely available script.
PowerShell is a product of Microsoft Corporation. ScriptRunner is a product of ScriptRunner Software GmbH.
© ScriptRunner Software GmbH
.COMPONENT
.LINK
https://github.com/scriptrunner/ActionPacks/tree/master/WinFileManagement/FolderAndFiles
.Parameter ObjectName
[sr-en] Folder or file name with the path
.Parameter ObjectClass
[sr-en] Type of the accounts
#>
[CmdLetBinding()]
Param(
[Parameter(Mandatory = $true)]
[string]$ObjectName,
[Parameter(Mandatory = $true)]
[ValidateSet("All","Groups","Users")]
[string]$ObjectClass="All"
)
[System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')
try{
$Script:output=@()
[bool]$Script:IsGroup = $false
[bool]$Script:IsUser = $false
function CheckIdentity([string] $Name){
if($ObjectClass -eq "All"){
$Script:IsGroup=$true
$Script:IsUser=$true
return
}
$Script:IsGroup=$false
$Script:IsUser=$false
$tmp = New-Object System.Security.Principal.NTAccount($Name)
try{
$sid = $tmp.Translate([System.Security.Principal.SecurityIdentifier]).Value
}
catch
{
return
}
if($sid -eq "S-1-1-0") # Everyone
{
$Script:IsGroup=$true
}
elseif($sid -eq "S-1-5-18") # System
{
$Script:IsGroup=$true
}
elseif($sid -eq "S-1-5-32-544") # Administrators
{
$Script:IsGroup=$true
}
elseif($sid -eq "S-1-5-11") # Authenticated Users
{
$Script:IsGroup=$true
}
elseif($sid -eq "S-1-5-4") # Interactive
{
$Script:IsGroup=$true
}
elseif($sid -eq "S-1-5-32-545") # Users
{
$Script:IsGroup=$true
}
else{
$tmp = New-Object System.Security.Principal.SecurityIdentifier ($sid)
$tmp=$tmp.Translate([System.Security.Principal.NTAccount]).Value
$ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $tmp.Split("\")[0])
$chk=[System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ctx, [System.DirectoryServices.AccountManagement.IdentityType]::SID, $sid)
$Script:IsGroup = ($null -ne $chk)
$chk=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ctx, [System.DirectoryServices.AccountManagement.IdentityType]::Sid, $sid)
$Script:IsUser = ($null -ne $chk)
}
}
$Script:acl = Get-Acl -Path $ObjectName -ErrorAction Stop
foreach($item in $Script:acl.Access){
CheckIdentity $item.IdentityReference
if($Script:IsGroup -eq $true -and $ObjectClass -ne "Users"){
$Script:output += $item
}
if($Script:IsUser -eq $true -and $ObjectClass -ne "Groups"){
$Script:output += $item
}
}
if($SRXEnv) {
$SRXEnv.ResultMessage = $Script:output
}
else{
Write-Output $Script:output
}
}
catch{
throw
}
finally{
}