Tag Archives: ACL

Storingen

Users being disconnected randomly

Some users reported that their sessions where being disconnected. The warning that was stated was that the peer disconnected. On the The XenApp servers reported error 4105. The Terminal Server License server was member of the group Terminal Server License Server. There’s a KB article for this problem.

If you want to export the users that could expierence this problem you can run the script below. In order to export the right group you need to have the default SID for this built in group. This SID is: “S-1-5-32-561″. The right value that the user must have is:”5805bc62-bdc9-4428-a5e2-856a0f4c185e”.

 

Import-module ActiveDirectory
$List2 =@()
$File = ".\Export.csv"
$Header = "DN;ActiveDirectoryRights;InheritanceType;ObjectType;InheritedObjectType;ObjectFlags;AccessControlType;IdentityReference;IsInherited;InheritanceFlags;PropagationFlags"
Add-Content -Value $Header -path $file
$list = get-aduser -Filter * | select DistinguishedName
foreach ($item in $list){$list2 +=$item.DistinguishedName}
foreach ($item in $list2){
$ACLs =@((get-Acl "AD:\$item")| ForEach-Object {$_.Access} | Where {$_.Identityreference -eq "S-1-5-32-561"})
IF ($ACLs.count -gt "0"){
[int]$Count = 0
Foreach ($ACL in $ACLS){IF ($ACL.Objecttype -match "5805bc62-bdc9-4428-a5e2-856a0f4c185e"){$count++}}
IF ($Count -eq "0"){
Foreach ($ACL in $ACLs){
$OutInfo = $item  + ";" + $ACL.ActiveDirectoryRights  + ";" + $ACL.InheritanceType + ";" + $ACL.ObjectType + ";" + $ACL.InheritedObjectType + ";" + $ACL.ObjectFlags + ";" + $ACL.AccessControlType  + ";" + $ACL.IdentityReference   + ";" + $ACL.IsInherited   + ";" + $ACL.InheritanceFlags   + ";" + $ACL.PropagationFlags
Add-content -Value $outinfo -path $File}}}}
Powershell

Get Inherited Permission

Script reads DFS Location from host. Script reads ADuser from host. Script checks whether DFS location and User specified are correct. Then checks how the user have access to the folder and what NTFS rights the user has.

PS1:

#Load Active Directory modules
Import-Module ActiveDirectory 
Clear-host
$Locatie = Read-Host "Voer de DFS Locatie in in UNC Format bijvoorbeeld:\gemeentenet.localdfsdeelnemerfolder"
While ((Test-Path $Locatie) -ne $true){
write-host "De opgegeven locatie bestaat niet. Voor opnieuw in" -b Black -f Red
$Locatie = Read-Host "Voer de DFS Locatie in in UNC Format bijvoorbeeld:\gemeentenet.localdfsdeelnemerfolder"
While ((Test-Path $Locatie) -ne $true){
	[System.Windows.Forms.MessageBox]::Show("ERROR: $locatie bestaat niet. Het script is beeindigd!")
	write-host De $locatie bestaat niet. Voer het script opnieuw uit! -F Red
	If (!($psISE)){"Press any key to continue...";[void][System.Console]::ReadKey($true)}}}
$User = Read-Host "Voer de User in in sAMaccountname Format bijvoorbeeld:othsbe02"
$testresult = get-aduser $User
If ($testresult -eq $null){
write-host "De opgegeven User bestaat niet. Voor opnieuw in" -b Black -f Red
$User = Read-Host "Voer de User in in sAMaccountname Format bijvoorbeeld:othsbe02"
$testresult = get-aduser $User
if ($testresult -eq $null){
	[System.Windows.Forms.MessageBox]::Show("ERROR: $User bestaat niet. Het script is beƫindigd!")
	write-host De $User bestaat niet. Voer het script opnieuw uit! -F Red
	If (!($psISE)){"Press any key to continue...";[void][System.Console]::ReadKey($true)}}}
$Folders = @()
$Folders = get-item $locatie  | where {$_.psiscontainer -eq $true}
$outfile = ".temp.csv"
$Header = "Folder Path;IdentityReference;AccessControlType;IsInherited;InheritanceFlags;PropagationFlags;Filesystemrights"
Add-Content -Value $Header -Path $OutFile 
foreach ($Folder in $Folders){
	$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
	Foreach ($ACL in $ACLs){
	$OutInfo = $Folder.Fullname + ";" + $ACL.IdentityReference  + ";" + $ACL.AccessControlType + ";" + $ACL.IsInherited + ";" + $ACL.InheritanceFlags + ";" + $ACL.PropagationFlags + ";" + $ACL.FileSystemRights
	Add-Content -Value $OutInfo -Path $OutFile	
	}}

	$CSVImport = import-csv $outfile -delimiter ";"	
	$list1 = @()
	foreach ($item in $CSVImport){
	$identity = $item.Identityreference.replace("GEMEENTENET","")
	if ($item -match "BUILTIN" -and $item -match "Users"){$identity = $item.Identityreference
	$temp1 = Get-ADGroupmember -identity "Domain Users" -recursive |ForEach-Object {$_.sAMaccountname}}

	if ($item -notmatch "Builtin" -and $item -notmatch "NT AUTHORITY" -and $item -notmatch "CREATOR"){
	$temp1 = Get-ADGroupmember $identity -recursive |ForEach-Object {$_.sAMaccountname} }

	if ($item -match "BUILTINAdministrators"){$identity = $item.Identityreference.replace("BUILTIN","")
	$temp1 = Get-ADGroupmember $identity -recursive |ForEach-Object {$_.sAMaccountname} }
	foreach ($line in $temp1){$list1 += $line + ";" + $identity + ";" + $item.FileSystemRights}
	$result = $list1 |? {$user -contains $_}}

$print = $list1 -match $user
$print | sort -unique
remove-item $outfile

ZIP:

 

Powershell

NTFS Security Inheritance Export Script

import-module Ntfssecurity
$lokatie = "\Domain.localdfs"
$header = "Fullname;InheritanceEnabled"
$CSV = "C:file.csv"
add-content -value $header -path $CSV
$list = Get-Childitem $lokatie -recurse | where {$_.psiscontainer -eq $true}
foreach ($Item in $list){
$export = get-inheritance -path $item.fullname
foreach ($object in $export){
$outinfo = $item.fullname + ";" + $object.inheritanceEnabled
add-content -value $outinfo -path $CSV}}

 

NTFSSecurity

Powershell

User ACL Permission Script

$Users = Get-Content "C:user1.txt"
 ForEach ($user in $users)
 {
 $newPath = Join-Path "c:testlocation" -childpath $user
 New-Item $newPath -type directory

$nuser = "gandalf" + $user
 $Access=[System.Security.AccessControl.AccessControlType]"Allow"
 $Rights=[System.Security.AccessControl.FileSystemRights]"FullControl"
 $Prop=[System.Security.AccessControl.PropagationFlags]"NoPropagateInherit"
 $Inherit=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
 $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($nuser,$Rights,$Inherit,$Prop,$Access)
 $acl = Get-Acl $newpath
 $acl.AddAccessRule($accessRule)
 Set-Acl $newpath -AclObject $acl
 }
Powershell

Restore exported ACL on folder

Import-Module ActiveDirectory

$csv = gci .CSVFiles* -Include *.csv

$list += import-csv $CSV -Delimiter ';'
foreach ($entry in $list){
$Folderpath=$entry.'Folder path'
$Identity=$entry.IdentityReference
$AccessControlType=$entry.AccessControlType
$IsInherited=$entry.IsInherited
$Inheritanceflags=$entry.InheritanceFlags
$PropagationFlags=$entry.PropagationFlags
$FileSystemRights=$entry.FileSystemRights

$OldACL = get-acl $Folderpath
$Newpermission = ($Identity,$FileSystemRights,$Inheritanceflags,$PropagationFlags,$AccessControlType)
write-host $Newpermission
$AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $NewPermission
$OldACL.SetAccessRule($AccessRule)
$OldAcl | Set-ACL $Folderpath

Powershell

Export permissions to CSV file

$OutFile = "C:Permissions.csv"
$Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
Del $OutFile
Add-Content -Value $Header -Path $OutFile

$RootPath = "C:Test"

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders){
$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs){
$OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
}}

Powershell

Rechten op nieuwe folder uitdelen

new-item -path h: -name Folder1Folder2 -type directory
$locatie=('\Domain.localdfs$deelnemerusers$samaccountnameFolder1')
Sleep -s 30

$Domain = "$Domain$Groepsnaam"
$NewACL = get-acl $locatie
$Newpermission = ($Domain,"Modify, Synchronize","ContainerInherit, ObjectInherit", "None","Allow")
$AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $NewPermission
$NewACL.SetAccessRule($AccessRule)
$NewAcl | Set-ACL $locatie