raandree / ntfssecurity Goto Github PK

Hello,

First thanks for the NTFSecurity module.
A small question, Is it always necessary to remove inheritance from files and folders before one can remove-access from internal OS groups like for example the "Authenticated users"? And if you need to remove inheritance, do you enable inheritance again after the changes has been made?

As example.
FolderA - on creation it has "Administrators","System","Users" and Authenticated users",, the problem is that Authenticated users" have modify permission, I want to remove these permission, but am only able when I disable inheritance?

Hope you can explain more what would be the best way. This is on windows 10 OS.
thanks in advance.
johan

Hi team,
Could you kindly give us info about possibility to update library using the last version AlphaFS and the possibility to use it with new PS versions.

I'm trying to alter the default permissions on a Windows RDSH server for multi-user environments. To automate that task I took a look at your project. For some strange reason the results from the command line are different to what I see in the properties of the c:\ drive.

Does someone know what this might be about?

(I know the text is in German, but it should be clear, that I'm missing "Authenticated User" ond the command line for example)

Get-NTFSAccess -Path c:\

    Path: C:\ (Inheritance enabled)

Account                             Access Rights                                        Applies to                Type                                                 IsInherited                                         InheritedFrom
-------                             -------------                                        ----------                ----                                                 -----------                                         -------------
Jeder                               Traverse, ReadAttributes, ReadPermissions, Synchr... ThisFolderOnly            Allow                                                False
NT-AUTORITÄT\EINGESCHRÄNKTER ZUG... Traverse, ReadAttributes, ReadPermissions, Synchr... ThisFolderOnly            Allow                                                False
NT-AUTORITÄT\SYSTEM                 FullControl                                          ThisFolderOnly            Allow                                                False
VORDEFINIERT\Administratoren        FullControl                                          ThisFolderOnly            Allow                                                False

Is it possible to apply multiple permissionchanges at once?
For example remove one group and add an other in one run?
Actually it first performs the remove and then it adds the group because this are two independent cmdlet calls.

Friends, help write a script to transfer the ACL from .wim to the current system.
Required:
– clear the current access rights of the current system
– transfer permissions to files and folders for all users from .wim
– inheritance rules for folders from .wim
– the final step to transfer the owner of the folders (including the system folders: TrustedInstaller)
What I have at the moment:

$wPath = Read-Host “Enter original location for reading ACL (D: \ wim \) ” # mounted image .wim
$ACLPath = Read-Host “Enter the full name of the file in which to save the ACL (D: \ ACL_file) ”

function Recurse($path) {

    $fc = new-object -com scripting.filesystemobject
    $folder = $fc.getfolder($path)

    foreach ($i in $folder.files) {$i}

    foreach ($i in $folder.subfolders) {
        Write-Host $i.path
        $i
        if ( (get-item -Force $i.path).Attributes.ToString().Contains(“ReparsePoint”) -eq $false)
            {
                Recurse($i.path)
            }
        }
}

Recurse($wPath) | Get-NTFSAccess -ExcludeInherited | Export-Clixml $ACLPath”.xml”
$oldACL = Import-Clixml $ACLPath”.xml”
foreach ($p in $oldACL) {
       $p.Path | Clear-NTFSAccess
       }
$oldACL | Add-NTFSAccess

Help seemed to me not complete (Add-NTFSAccess -? and Clear-NTFSAccess -?), could not understand how to apply the rules from .xml to files and folders in the root of the path C: , at the moment I manually edit the path in .xml

It would be good if your how to install page linked off, or included to directions for installing from the Powershell gallery.

• https://www.powershellgallery.com/packages/NTFSSecurity/

You might want to include some documentation on the site as to how to actually download your work now that it's on GitHub. I wanted to get from GitHub, but I gave up and just got the ZIP from CodePlex.

Executing Get-NTFSAccess against $env:SystemDrive (or C:) returns access for System32 directory. Adding a backslash to either seems to work fine.

Doesn't work
PS C:\> $env:SystemDrive
C:

PS C:\> Get-NTFSAccess -Path "$env:SystemDrive"

Path: C:\Windows\system32 (Inheritance disabled)
'`

Works
Get-NTFSAccess -Path "$env:SystemDrive\"

I appear to have memory issues when combining get-childitem2 and get-ntfsaccess. It is holding over 2gb ram when running it against 22gb of data, 1,200 folders and 15,000 files. I tried exporting the data to csv first but it made no difference. Is there anything else I can do or is this a bug?

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85/file/107400/19/NTFSSecurity.zip

Any idea how to address this?

`PS C:\Scripts\Powershell> Import-Module NTFSSecurity
Add-Type : Could not load file or assembly 'file:///C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\Security2.dll' or
one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515)
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:75 char:1

• Add-Type -Path $PSScriptRoot\Security2.dll

•   + CategoryInfo          : NotSpecified: (:) [Add-Type], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.AddTypeCommand
  
  

Add-Type : Could not load file or assembly
'file:///C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\PrivilegeControl.dll' or one of its dependencies. Operation
is not supported. (Exception from HRESULT: 0x80131515)
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:76 char:1

• Add-Type -Path $PSScriptRoot\PrivilegeControl.dll -ReferencedAssembli ...

•   + CategoryInfo          : NotSpecified: (:) [Add-Type], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.AddTypeCommand
  
  

Add-Type : Could not load file or assembly
'file:///C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\ProcessPrivileges.dll' or one of its dependencies. Operation
is not supported. (Exception from HRESULT: 0x80131515)
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:77 char:1

• Add-Type -Path $PSScriptRoot\ProcessPrivileges.dll

•   + CategoryInfo          : NotSpecified: (:) [Add-Type], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.AddTypeCommand
  
  

Import-Module : Could not load file or assembly
'file:///C:\Users\Administrator\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.dll' or one of its dependencies. Operation is
not supported. (Exception from HRESULT: 0x80131515)
At line:1 char:1

• Import-Module NTFSSecurity

•   + CategoryInfo          : NotSpecified: (:) [Import-Module], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand`
  

This issue was imported from CodePlex

LaurentDardenne wrote 2016-08-22 at 18:25
Hi,

the parameters 'Account' and 'AccessRights' use the same position value (2) :

        [Parameter(Mandatory = true, Position = 2, ValueFromPipelineByPropertyName = true)]
        [Alias("IdentityReference, ID")]
        public IdentityReference2[] Account
        {
            get { return account; }
            set { account = value; }
        }

        [Parameter(Mandatory = true, Position = 2, ValueFromPipelineByPropertyName = true)]
        [Alias("FileSystemRights")]
        public FileSystemRights2 AccessRights
        {
            get { return accessRights; }
            set { accessRights = value; }
        }

This issue was imported from CodePlex

addilapi wrote 2015-02-27 at 17:57
Observe the results of:

Get-ChildItem -Recurse | ForEach-Object {$_; Continue}

Get-ChildItem2 -Recurse | ForEach-Object {$_; Continue}

Get-ChildItem2 has an unhandled error. This particular code snippet is useful with a where clause to return a first result without having to wait for the entire pipeline to process.

raandree wrote 2015-02-28 at 10:38
Fixed now in Changeset 38597. However the BreakException and ContinueException is not accessible in PowerShell V2 and it seems as it cannot be caught directly.

I have never tested this and used "Select-Object -First 1" instead. This gives you the same behavior in PowerShell V3 and higher.

wrote 2015-02-28 at 10:40

ALIENQuake wrote 2015-06-04 at 00:12
I have different relults even if I use "Select-Object -First 1"

raandree wrote 2015-06-04 at 06:44
This is because Get-ChildItem2 sort files and folder alphabetically. The built-in cmdlet Get-ChildItem displays folders first and then files. Get-ChildItem2 sorts like the old cmd.exe dir command.

ALIENQuake wrote 2015-06-04 at 15:34
Well, I think that it's very wrong to change such fundamental behavior. I'm sure that you see a lot of possible problems and
potentially deleting of the wrong files/folders. Can you please change it for the next release?

P.S. I don't want to start another topic so I just mention that Get-ChildItem2 should be renamed to Get-NTFSChildItem as the rest of you module commands. It was a good decision to include prefix.

wrote 2016-01-03 at 13:55

ALIENQuake wrote 2016-01-03 at 18:11
Hi, I still get wrong object when i use Get-ChildItem2 -r | select-object -First 1

Windows 10, PS 5, ntfssecurity 4.1

raandree wrote 2016-01-03 at 20:21
Hi,

the feedback I got from other people was that the old DOS style listing was more comfortable. Directories first and then files, both in an alphabetical order. This is why I haven’t changed the behavior.

How about making this configurable and letting the user decide?

-Raimund

raandree wrote 2016-01-03 at 20:21
** Closed by raandree 03.01.2016 05:55

wrote 2016-01-03 at 20:21

wrote 2016-01-03 at 20:21

ALIENQuake wrote 2016-01-04 at 12:34
Hi,

Indeed, old DOS style listing might be more comfortable BUT! it should be only listing, not different object inside pipeline. The best approach would be to leave the listing "view" intact and match object order as core PS. But I think that it is not
possible or it would require too much work. I such case, I'm in favor to make this configurable and letting the user decide only when default behavior will match core PS - because it is one of the most important PS module and people started to use it everyday,
you cannot expect that they have to remember about different object sorting. I don't even want to think what damage could happen when Powershell newcomer will write some copy/delete script using Get-ChildItem, face 256 path limit, install you module, replace
Get-ChildItem with Get-ChildItem2 - goodbye files...

When trying move a folder Move-Item2 tells me it can't find the folder. Like so:

Move-Item2 -Path 'C:\StoragePoolMounts\home\shared\dallen' -Force -Confirm:$False -Destination 'C:\StoragePoolMounts\home\shared\ArchivedUsers\dallen\U-drive'

Move-Item2 : (3) The system cannot find the path specified: [\?\C:\StoragePoolMounts\home\shared\dallen]
+ CategoryInfo : InvalidData: (C:\StoragePoolMounts\home\shared\dallen:String) [Move-Item2], DirectoryNot
FoundException
+ FullyQualifiedErrorId : MoveError,NTFSSecurity.MoveItem2

I've confirmed the folder is there and that permissions are fine. Get-Item2 can get the object fine. I'm confused what the issue is.

The only thing that isn't plain vanilla on it is that the "home" folder is a mount point. Could that cause the issue?

Recently started getting 1307 error
Add-NTFSAccess : (1307) This security ID may not be assigned as the owner of this object:
When trying to add BUILTIN\Administrators group permissions on a NetApp Folder.

The folder is owned by BUILTIN\Administrators and my AD user account is a member of the group.

I was able to use ICACLS to grant BUILTIN\Administrators permissions to the folder.

Remove-NTFSAudit does not remove the auditing if the AccessMask to remove is a subset.

Clear-NTFSAudit -Path D:\Test -DisableInheritance

Add-NTFSAudit -Path D:\Test -Account randr -AccessRights FullControl -AuditFlags Success -AppliesTo ThisFolderSubfoldersAndFiles
Add-NTFSAudit -Path D:\Test -Account Everyone -AccessRights FullControl -AuditFlags Success -AppliesTo ThisFolderSubfoldersAndFiles

Remove-NTFSAudit -Path D:\Test -Account randr -AccessRights Read -AuditFlags Success -AppliesTo ThisFolderSubfoldersAndFiles

Get-NTFSAudit -Path D:\Test

The result is that the account rand still has FullControl.

Account                             Access Rights                       Applies to                Type                                IsInherited                         InheritedFrom                      
-------                             -------------                       ----------                ----                                -----------                         -------------                      
Everyone                            FullControl                         ThisFolderSubfoldersAn... Success                             False                                                                  
RAANDREE1\randr                     FullControl                         ThisFolderSubfoldersAn... Success                             False                                      

This was reported in https://www.reddit.com/r/PowerShell/comments/90o5r0/problem_with_ntfssecurity_module/.

Im kind of surprised why Set-NTFSOwner does not have a Recurse parameter.

Hello!

I am running version 4.2.4 of NTFSSecurity on PSv5 (5.1.17763.134). For some reason, NTFSSecurity is not recognising inherited permissions. I have attached screenshots which show this behaviour:

I would expect Get-NTFSSimpleAccess and Get-NTFSAccess to both implement the ExcludeInherited parameter the same way, but I get different results:

PS C:\scripts\ExplodedNTFS>  Get-NTFSSimpleAccess c:\temp -ExcludeInherited | ft

AccessControlType FullName Name Identity                      AccessRights
----------------- -------- ---- --------                      ------------
            Allow c:\           CREATOR OWNER          Read, Write, Delete
            Allow c:\           NT AUTHORITY\SYSTEM    Read, Write, Delete
            Allow c:\           BUILTIN\Administrators Read, Write, Delete
            Allow c:\           BUILTIN\Users                        Write
            Allow c:\           BUILTIN\Users                        Write
            Allow c:\           BUILTIN\Users                         Read


PS C:\scripts\ExplodedNTFS> Get-NTFSAccess c:\temp -ExcludeInherited | ft
PS C:\scripts\ExplodedNTFS>

Hi, if i want to fix ownership and permissions off whole drive recursively and i have good and bad snapshot of them. What commands should would it be?
something like:

owneship:
PS C:> dir -Recurse | Get-NTFSOwner | Export-Csv C:\ownership.csv

in favorite editor replace C: with G: in C:\ownership.csv

PS G:> Import-Csv C:\ownership.csv | Set-NTFSOwner - doesn't work

permissions:
PS C:> dir -Recurse | Get-NTFSAccess -ExcludeInherited | Export-Csv C:\permissions.csv

in favorite editor replace C: with G: in C:\permissions.csv

PS G:> Import-Csv C:\permissions.csv | Add-NTFSAccess - doesn't work

and what about using privileges ? backup restore roles...maybe through that account;
Thank you..

Steps to reproduce:

• Set deny ACE on folder
• Get object Security2.FileSystemAccessRule2 using Get-NTFSAccess
• Call method ToSimpleFileSystemAccessRule2() on objects which Type is "Deny"
• The method returns Security2.SimpleFileSystemAccessRule object with wrong property Type="Allow", but should be "Deny"

https://www.powershellgallery.com/packages/NTFSSecurity/4.2.4 says Minimum PowerShell version = 2.0, but "Import-Module NTFSSecurity" fails for v4.2.4 in PowerShell 2.0 (Windows 7 x64). Works ok in PowerShell 3.0 (.Net Framework 4.0).

`Add-Type : Could not load file or assembly 'file:///C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurity\Sec
urity2.dll' or one of its dependencies. This assembly is built by a runtime newer than the currently loaded runtime and
cannot be loaded.
At C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:75 char:9

• Add-Type <<<< -Path $PSScriptRoot\Security2.dll
  • CategoryInfo : NotSpecified: (:) [Add-Type], BadImageFormatException
  • FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : Could not load file or assembly 'file:///C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurity\Pri
vilegeControl.dll' or one of its dependencies. This assembly is built by a runtime newer than the currently loaded runt
ime and cannot be loaded.
At C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:76 char:9

• Add-Type <<<< -Path $PSScriptRoot\PrivilegeControl.dll -ReferencedAssemblies $PSScriptRoot\ProcessPrivileges.dll
  • CategoryInfo : NotSpecified: (:) [Add-Type], BadImageFormatException
  • FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : Could not load file or assembly 'file:///C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurity\Pro
cessPrivileges.dll' or one of its dependencies. This assembly is built by a runtime newer than the currently loaded run
time and cannot be loaded.
At C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1:77 char:9

• Add-Type <<<< -Path $PSScriptRoot\ProcessPrivileges.dll
  • CategoryInfo : NotSpecified: (:) [Add-Type], BadImageFormatException
  • FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.AddTypeCommand

Import-Module : Could not load file or assembly 'file:///C:\Users\Username\Documents\WindowsPowerShell\Modules\NTFSSecurit
y\NTFSSecurity.dll' or one of its dependencies. This assembly is built by a runtime newer than the currently loaded run
time and cannot be loaded.
At line:1 char:14

• import-module <<<< NTFSSecurity
  • CategoryInfo : NotSpecified: (:) [Import-Module], BadImageFormatException
  • FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.ImportModuleCommand
    `

Documentation needs to be updated.

Curious if this is fully compatible with PS Core as it uses several other libraries instead of the .NET Framework libraries to get done what it is doing :). If it is fully compatible, it's probably worth noting that explicitly, and tagging it appropriately on PS Gallery.

Thank you for the useful module!

Hi Raimund,

I try to backup and restore NTFS permission but it seems that it does not work properly.
I took your example:
#to backup permissions just pipe what Get-NTFSAccess returns to Export-Csv
dir | Get-NTFSAccess -ExcludeInherited | Export-Csv permissions.csv

#to retore the permissions pipe the imported data to Get-NTFSAccess
#As the imported data also contains the path you do not need to specify the item
Import-Csv .\permissions.csv | Get-NTFSAccess

1st, I have created a backup but modified the dir command a bit:
dir -Recurse -directory | Get-NTFSAccess -ExcludeInherited | Export-CSV ....

The csv looks fine.
Now the following: I have removed a user group "G-Whatever" from a folder and ran the "resttore command"
The thing is: the removed group does not appear, it is still missing.
I have no clue why this is happening.
Since I have to adjust a few more NTFS rights it would be great if I can restore the oridinal NTFS rights if something goes wrong.

Or different idea: getting a backup, copy the csv, edit the copy and adjust the information there to set new permissions afterwards (this was Jan-Hendriks idea).

Regards
Dirk

I got the following error when trying to get the permissions for the whole drive.

Command used:

PS C:\> Get-ChildItem -recurse | Get-NTFSAccess -ExcludeInherited | Export-Csv permissions.csv

Error Received:
Get-NTFSAccess : Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
At line:1 char:26
+ Get-ChildItem -recurse | Get-NTFSAccess -ExcludeInherited | Export-Csv permissio ...
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (C:\Data\Temp\wbxtra_11152016_142541.wbt:String) [Get-NTFSAccess], ArgumentOutOfRangeException
    + FullyQualifiedErrorId : ReadSecurityError,NTFSSecurity.GetAccess
 
Get-NTFSAccess : Unable to find the specified file.
At line:1 char:26
+ Get-ChildItem -recurse | Get-NTFSAccess -ExcludeInherited | Export-Csv permissio ...
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (C:\Data\Temp\OI...9D2.0\A271AFDA.:String) [Get-NTFSAccess], FileNotFoundException
   \ + FullyQualifiedErrorId : ReadFileError,NTFSSecurity.GetAccess

This issue was imported from CodePlex

MichaelZoellner wrote 2016-09-12 at 16:18
First of all, NTFSSecurity is GREAT!

Nevertheless I think I found a glitch in version 4.2.3 in -Attributes. I understood that a list of multiple values separated by comma means an or disjunction:

PS D:\Test> attrib abc.txt
A            D:\Test\abc.txt
PS D:\Test> Get-ChildItem D:\Test -Attributes Archive,System
    Directory: D:\Test
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12.09.2016     15:55              5 abc.txt

Using NTFSSecurity Get-ChildItem I don't get the result using two values. I only get it when using one correct attribute:

PS D:\Test> Get-ChildItem2 D:\Test -Attributes Archive,System
PS D:\Test> Get-ChildItem2 D:\Test -Attributes Archive
    Directory: D:\Test
Mode    Inherits             LastWriteTime         Size(M) Name
----    --------             -------------         ------- ----
-a---       True      12.09.2016     15:55               0 abc.txt

Probably this could be fixed in a next release? How can presently get multiple objects with different attributes?

Many Greetings

Michael

pdearmen wrote 2016-10-03 at 22:04
Something I did (i'm still testing it out on my own stuff) - i downloaded the source and changed this (around line 262 of getchilditem2.cs) from bitwise and to bitwise or - it seems to work properly now and works with any/all of the attributes provided

• if this works properly I'll upload a patch if I'm allowed. This was the only thing not working for me and it seems to work flawless now for what I use it for (a ransomware restoration script)

if (MyInvocation.BoundParameters.ContainsKey("Attributes"))

            {
                if ((current.Attributes | attributes) != attributes)
                continue;

raandree wrote 2016-10-10 at 11:57
Thanks for participating. I am moving this project to GutHub. Of course you can do a pull request there. If this is too overhead for you, I can implement the change you provided.

Did you face any further issues during your tests?

Hi, I am finishing up a file server migration with permissions and need to delete the local account sid which came from the other server.
Thanks for this module, it's fantastic! It saves me so much time ;)
Thanks!

The following commands fail to import with Import-WinModule because of a bug with the definition of the parameter alias definition:
Add-NTFSAccess
Add-NTFSAudit
Get-NTFSAccess
Get-NTFSAudit
Get-NTFSOrphanedAccess
Get-NTFSOrphanedAudit
Get-NTFSSimpleAccess
Remove-NTFSAccess
Remove-NTFSAudit

The typical error raised is:

Import-Module : Failed to generate proxies for remote module 'NTFSSecurity'. Proxy creation has been skipped for the 'Ad
d-NTFSAudit' command, because PowerShell could not verify the safety of a parameter alias name: 'IdentityReference, ID'.
At C:\Users\jole001\Documents\PowerShell\Modules\WindowsCompatibility\0.0.1\WindowsCompatibility.psm1:479 char:13
+             Import-Module  -Name $ImportNames -NoClobber:$NoClobber @ ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidData: (:) [Import-Module], InvalidOperationException
+ FullyQualifiedErrorId : ErrorSkippedUnsafeAliasName,Microsoft.PowerShell.Commands.ImportModuleCommand

This is further confirmed by @BrucePay in issue 38 of WindowsCompatibility

Thanks for great module. We have ~700 folders in parent folder, half of them had correct auditing permissions. For remaining half, thought that using 'addNTFSaudit' command for every ~350 folder. Each of the folders have data, I thought it will be applied recursively to each/every file and folder. Is there any way to propogate auditing perms OR I need to iterate through loop for every file/folder?

Using Get-ChildItem2 on a network UNC-Path shows error, if the folder contains a .lnk file. Error is:

Get-ChildItem2 : (3) The target directory is a file, not a directory: [\]
In Zeile:1 Zeichen:1

• Get-ChildItem2 -Directory -path \

•   + CategoryInfo          : NotSpecified: (\\<UNC-path>:String) [Get-ChildItem2], DirectoryNotFoundException
    + FullyQualifiedErrorId : DirUnspecifiedError,NTFSSecurity.GetChildItem2
  
  

Using Get-ChildItem runs without problem.

When you try to remove a junction, the following error is returned

remove-item2 : (87) The parameter is incorrect: [\\?\D:\testjunction]
At line:1 char:1
+ remove-item2 -Path .\testjunction\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (.\testjunction\:String) [Remove-Item2], IOException
    + FullyQualifiedErrorId : DeleteError,NTFSSecurity.RemoveItem2

Hi there,

We decided to use your module to try and setup automation within our SMA platform. Unfortunately when we import the module it generates an error as follows:

8/31/2017 11:20:40 AM, Verbose: 93e025b2-f06c-420c-8fb7-a23b6b346168:[localhost]:Dot-sourcing the script file
'C:\Users\SMA\Documents\WindowsPowerShell\Modules\NTFSSecurity\NTFSSecurity.Init.ps1'.

8/31/2017 11:20:40 AM, Error: Update-FormatData : Updating format data is not allowed in this runspace. The 'DisableFormatUpdates' property is set to
True when creating the runspace.
At AUD_Homedir:16 char:16
+

• CategoryInfo : InvalidOperation: (:) [Update-FormatData], PSInvalidOperationException
• FullyQualifiedErrorId : >InvalidOperation,Microsoft.PowerShell.Commands.UpdateFormatDataCommand

It appears to be a problem with the init script. I'm taking a look at this, but it seems to be a common issue with the SMA platform. Another module programmer has experienced this issue:
KirkMunro/ScsmPx#2

I've queried to find out what he did to work around this issue. However if you have any input, I'd appreciate any ideas on how we can fix the issue.

Downloaded NTFSSecurity-master.zip today, "unblocked" the files in the permissions tab, extracted zipped folder, created "NTFSSecurity" folder within C:\Windows\System32\WindowsPowerShell\v1.0\Modules, copied all files extracted from the zipped folder into the NTFSSecurity folder, launched PowerShell x64 as admin, ran "Import-Module NTFSSecurity" and i get the following error: import-module : The specified module 'ntfssecurity' was not loaded because no valid module file was found in any module directory. I replicated this issue on another machine following the same steps. This is running Windows 10 with PowerShell 5.

Cmdlet documentation should be very easy now to add

https://github.com/PowerShell/platyPS

Hi,

Once processed, NTFSSecurity.Init.ps1 should be removed (i.e. Remove-Module NTFSSecurity.Init.ps1) otherwise it keeps up appearing as "Script 0.0 NTFSSecurity.Init" when using Get-Module cmdlet.

Anyway congratulations for your great work.

Hi,

I suggest to (optionally) expand the groups in the output and (resursively) show their members.

Use-case:

On our fileserver all permissions are assigned to AD groups, which are then managed by the servicedesk.
The current output only shows group names. This makes sense, because these are in the ACL on the filesystem.

As a reviewer of permissions I would be helped if the output (optionally) could expand all the groups and list their members with their permissions.

This would allow me to generate one report with all information in it. This will make reviewing it a lot faster. It will also help the different "folder owners" to review the permissions on their folder when I share that section of the report with them.

I have been googling/searching for this, but I can't seem to find an existing solution.

Valentijn

There doesn't seem to be a commandlet to "replace all child object auditing entries...". When a remote folder is set to "Disable Inheritance" it doesn't get the Auditing permissions from parent folder.

Enable-NTFSAuditInheritance doesn't seem to do anything.

Get-Item \\server\share\folder | Add-NTFSAudit -account Everyone -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles -verbose | Enable-NTFSAuditInheritance

I had an issue where files were moved into folders and the user didn't have permission to change permissions on the files, hence they didn't inherit the folder's inheritable permissions. I fixed the original issue, but need to go back and correct permissions on a couple hundred files. I have a script that finds them just need the proper line to correct this, but having trouble coming up with it, and perhaps this module doesn't do this function?

Basically looking to mimic the "replace all child object permissions with inheritable permission" checkbox you see under the folder properties, but in this case for individual files.

In Explorer, if I manually add the permission (for a group) - it will now appear twice, both as explicit and inherited. I tried this using NTFSSECURITY but that didn't work - it came up only as explicit and and removed when I removed it.

Hi there,

I have just begun using this module, and so far it has been working great, so thanks for putting it together.

The only issue I have run into so far, is that I cannot seem to properly set "List folder contents" as you would via the gui.

For example, if I choose a folder in the gui, and add a new user with only "List folder contents", then it applies via the gui and all seems to work as expected. If when running Get-NTFSAccess I see it shows "ReadAndExecute" + "Synchronize" (below output sanitized).

PS C:\Test> Get-NTFSAccess -Path .\User1\ -Account fileshare-list | fl

Name : User1
FullName : C:\Test\User1
InheritanceEnabled : True
InheritedFrom :
AccessControlType : Allow
AccessRights : ReadAndExecute, Synchronize
Account : Fileshare-List
InheritanceFlags : ContainerInherit
IsInherited : False
PropagationFlags : None
AccountType : group

But if I then go and re-add the same permissions (or delete and re-create), using ReadAndExecute, it gives ReadAndExecute (as expected).

I have tried adding just "ListDirectory" but then in the gui it shows "Special" which will confuse my helpdesk when they see it. I have also tried a number of other combinations of attributes, but nothing seems to get just the "List folder contents" box to be checked.

In case it changes anything, I am running on Windows 10 1703 (or 1704, cannot remember which) Creators Update. I have tried this both on local and network shares, and I get the same result.

Thanks again

Copy-Item2 -Force does not overwrite the destination file. The bug is in the following line:

It should be as follows:

if (!force & File.Exists(actualDestination)) 

When I attempt to import the module, I get a number of errors:

PS U:\> import-module ntfssecurity -force
Add-Type : Cannot bind parameter 'Path' to the target. Exception setting "Path": "Cannot find path 'C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\Security2.dll' because it does not exist."
At C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\NTFSSecurity.Init.ps1:75 char:16
+ Add-Type -Path $PSScriptRoot\Security2.dll
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Add-Type], ParameterBindingException
    + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : Cannot bind parameter 'Path' to the target. Exception setting "Path": "Cannot find path 'C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\PrivilegeControl.dll' because it does not exist."
At C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\NTFSSecurity.Init.ps1:76 char:16
+ Add-Type -Path $PSScriptRoot\PrivilegeControl.dll -ReferencedAssembli ...
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Add-Type], ParameterBindingException
    + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.AddTypeCommand

Add-Type : Cannot bind parameter 'Path' to the target. Exception setting "Path": "Cannot find path 'C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\ProcessPrivileges.dll' because it does not exist."
At C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\NTFSSecurity.Init.ps1:77 char:16
+ Add-Type -Path $PSScriptRoot\ProcessPrivileges.dll
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [Add-Type], ParameterBindingException
    + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.AddTypeCommand

import-module : The module to process 'NTFSSecurity.dll', listed in field 'NestedModules' of module manifest 'C:\Users\user\Documents\WindowsPowerShell\Modules\ntfssecurity\ntfssecurity.psd1' was not processed because no
valid module was found in any module directory.
At line:1 char:1
+ import-module ntfssecurity -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (ntfssecurity:String) [Import-Module], PSInvalidOperationException
    + FullyQualifiedErrorId : Modules_ModuleFileNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

When I copy the .dlls from their respective bin folders to the root of the NTFSSecurity folder, that makes the first three errors go away, but I haven't been able to figure out how to fix the 'NestedModules' one.

I placed the NTFSSecurity module folder in the same folder as all my other modules, and that folder is in my $env:PSModulePath. All other modules saved in that directory import just fine.

Hi,

I'm experiencing the following problem. I can successfully install the module via install-module but after that get-module ntfssecurity does not return anything and import-module ntfssecurity shows that only very few cmdlets are beeing loaded.

My powershell version:

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17134.165
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.165
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

My OS version:

> [System.Environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      17134  0

How i installed the module:

> find-module ntfssecurity | install-module -scope allusers

Nicht vertrauenswürdiges Repository
Sie installieren die Module aus einem nicht vertrauenswürdigen Repository. Wenn Sie diesem Repository vertrauen, ändern
 Sie dessen InstallationPolicy-Wert, indem Sie das Set-PSRepository-Cmdlet ausführen. Möchten Sie die Module von
'https://www.powershellgallery.com/api/v2/' wirklich installieren?
[J] Ja  [A] Ja, alle  [N] Nein  [K] Nein, keine  [H] Anhalten  [?] Hilfe (Standard ist "N"): A

Ouput of import-module:

>  import-module ntfssecurity -Verbose
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program Files\WindowsPowerShell\Modules\ntfssecurity\4.2.3\ntfssecurity.psd1"
geladen.
AUSFÜHRLICH: "TypesToProcess" wird aus Pfad "C:\Program
Files\WindowsPowerShell\Modules\ntfssecurity\4.2.3\NTFSSecurity.types.ps1xml" geladen.
AUSFÜHRLICH: Die RepositorySourceLocation-Eigenschaft für das Modul ntfssecurity wird aufgefüllt.
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program Files\WindowsPowerShell\Modules\ntfssecurity\4.2.3\NTFSSecurity.Init.ps1"
geladen.
AUSFÜHRLICH: DOT-Quellentnahme der Skriptdatei "C:\Program
Files\WindowsPowerShell\Modules\ntfssecurity\4.2.3\NTFSSecurity.Init.ps1".
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program Files\WindowsPowerShell\Modules\ntfssecurity\4.2.3\NTFSSecurity.dll"
geladen.
AUSFÜHRLICH: Modul wird aus Pfad "C:\Program Files\WindowsPowerShell\Modules\ntfssecurity\4.2.3\NTFSSecurity.psm1"
geladen.
AUSFÜHRLICH: Alias "del2" wird importiert.
AUSFÜHRLICH: Alias "dir2" wird importiert.
AUSFÜHRLICH: Alias "gi2" wird importiert.
AUSFÜHRLICH: Alias "rm2" wird importiert.

After importing get-module reports back:

> get-module ntfssecurity

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     4.2.3      ntfssecurity                        {del2, dir2, gi2, rm2}

If I'm trying to use get-ntfsaccess I get the following error:

> get-ntfsaccess
get-ntfsaccess : Die Benennung "get-ntfsaccess" wurde nicht als Name eines Cmdlet, einer Funktion, einer Skriptdatei
oder eines ausführbaren Programms erkannt. Überprüfen Sie die Schreibweise des Namens, oder ob der Pfad korrekt ist
(sofern enthalten), und wiederholen Sie den Vorgang.
In Zeile:1 Zeichen:1
+ get-ntfsaccess
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (get-ntfsaccess:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

This basically means that the cmdlet was not recognized.

The following returns nothing:
> Get-Command -Module NTFSSecurity -Noun NTFSAccess

I am aware of the workaround of starting powershell with the -version parameter. Unfortunately that is not an option for me, as my scripts are depending on the newer version of posh.

Sorry for the german outputs I couldn't figure out how to completely change my powershell language yet.

Please let me know if you need any clarification or how I can help with any testing.
Thanks for looking into this!

Best Regards,
Thomas

NTFSSecurity v4.2.4 is not able to access long paths

Get-Item2 C:\Temp\LongPath\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy.txt
get-item2 : Unable to find the specified file.

Get-ChildItem2 C:\Temp\LongPath\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy
Get-ChildItem2 : Unable to find the specified file.

Test-Path2 C:\Temp\LongPath\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy\AbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxyAbcdefghijklmnopqrstuvwxy.txt
False (but it actually exists)

Works properly with NTFSSecurity v4.2.3

Environment:
v4.2.3: PowerShell 2.0 on Windows 7 x64
v4.2.4: PowerShell 3.0 on Windows 7 x86 (using PowerShell 3.0 due to failure of v4.2.4 to Import-Module in PowerShell 2.0, which is logged as a separate bug).

This issue was imported from CodePlex

duboiso wrote 2016-03-29 at 12:17
Hello,

First time I post here so sorry if I break any rules.

I think Get-childitem2 doesn't handle hidden files and recursion properly.

Non-hidden items contained in hidden folders are not returned.

Please refer to the attached screenshot.

MichaelZoellner wrote 2016-09-12 at 16:34
I think that your example is not a bug but 'it works as designed'. In your last call of Get-ChildItem2 you specify that you only want to get hidden objects. The file test.txt is not hidden so you don't get it listed.

The problem with NTFSSecurity is that multiple attributes are not correctly evaluated (Id #1965). So I think there is no chance to get what you need.

Many Greetings

Michael

When querying effective permissions using the Get-NTFSEffectiveAccess function the results displayed for a particular account differ from those displayed when running the graphical tool in Windows Explorer.

This occurs when checking permissions over a UNC path (have not checked locally), through a DFS namespace, directly to a Windows CIFS share, and to a CIFS share hosted on a NetApp CIFS server.

Running NTFSSecurity 4.2.4

This issue was imported from CodePlex

JBinMN wrote 2016-06-22 at 23:06
When passed directory names containing curly braces of either hand, Get-NTFSOrphanedAccess throws the following error:

Index (zero based) must be greater than or equal to zero and less than the size of the argument list.

+ CategoryInfo          : NotSpecified: (:) [Get-NTFSOrphanedAccess], FormatException
+ FullyQualifiedErrorId : System.FormatException,NTFSSecurity.GetOrphanedAccess

I can work around it by filtering the output of get-childitem (or get-childitem2) :

where {$_.name -notmatch '{|}'}

I do not manage To install the module,
Which files exactly must be placed in the NTFSSecurity Folder.

• All Files and Folders in Zip ?
  ==> get-module -ListAvailable
  OK
  ==> Import-Module NTFSSecurity
  Import-Module : Le module «NTFSSecurity» spécifié n'a pas été chargé, car aucun fichier de module valide n'a été
  trouvé dans un répertoire de module.
  Au caractère Ligne:1 : 1

• Import-Module NTFSSecurity

•   + CategoryInfo          : ResourceUnavailable: (NTFSSecurity:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  

If I place all the files of the under-folder Zip/NTFSSecurity only
==> get-module -ListAvailable
OK
==> Import-Module NTFSSecurity
error missing DLL files.

When trying to access the array of information from the output. It shows that the "Access Rights", "Applies to" are not actually available but only for view. Upon further investigation I found that the "Access Rights" is actually "AccessRights" but Applies to is not actually within the output. Which makes trying to use the information to correct ntfs problems an issue.

Get-NTFSAccess -Path 'c:\mypath' -Account 'creator owner' | Remove-NTFSAccess

Results in the following error:

Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
    + CategoryInfo          : WriteError: (c:\mypath:String) [Remove-NTFSAccess], ArgumentOutO fRangeException
    + FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess