PowerShell ACL Rights on Extraction of Creator Owner
Hello Guys.
Any help would be appreciated.
I've been assigned a task to extract the creator owner of shared folders on a window server 2003 platform.
For days , i've been searching through the web cluelessly without any fruitful result.
I've located some scripts that enables me to only extract only in the below format.
I've managed to salvage this piece of script which lies somewhere around the net.
However this script could only extract
Folder Directory . System Rights . Control Type . IdentityReference . Inherited (T/F) . Inhertiance Flags . Propagation Flag.
With the below script.
##ACL Rights Execution PowerShell Script##
$OutFile = "C:\Users\All User\Desktop\logfile.csv" ##indicates where to input your logfile##
$Header = "Folder Path,IdentityReference,AccessControlType,AccessRights,IsInherited,InheritanceFlags,PropagationFlags"
Del $OutFile
Add-Content -Value $Header -Path $OutFile
$RootPath = "\\Servername\folder" ##which directory/folder you would like to extract the acl permissions##
$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders){
$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs){
$OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.FileSystemRights + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
I've tried to change some of the values but it would not allow me to extract the value of the creator owner.
*Due to my poor understanding to powershell scripting because i'm not a programmer*
To define creator owner specifically as in the user who originally create the folder. Not users who are assigned full rights .
Hi,
As SenneVL said, we can get owner from the cmdlet "get-acl", please also try the script below, just a little modification:
$OutFile = "C:\Users\All User\Desktop\logfile.csv" ##indicates where to input your logfile##
$Header = "Folder Path,owner,IdentityReference,AccessControlType,AccessRights,IsInherited,InheritanceFlags,PropagationFlags"
Del $OutFile
Add-Content -Value $Header -Path $OutFile
$RootPath = "\\Servername\folder" ##which directory/folder you would like to extract the acl permissions##
$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders){
$owner = (get-acl $Folder.fullname).owner
$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs){
$OutInfo = $Folder.Fullname + "," + $owner + "," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.FileSystemRights + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
Best Regards,
Anna
Similar Messages
-
Hi all,
The LDAP ACL Rights are visible or only available in the Directory Server but it is not reflected when connected to the portal. And the Roles are mainly reflected from the portal. More specifically when admin rights are assigned in the portal, that overrides the acl rights provided in the Directory server. Can anyone clarify this how and why admin rights assigned in portal overrides the acl rights assigned in the directory server?
Thanks in advance.
Vijayhi
please go through this link
http://help.sap.com/saphelp_nw04/helpdata/en/eb/00954081efb90ee10000000a155106/content.htm
please don,t forget to give points
with regards
subrato kundu -
ACL rights assignment in new user script
I've been tasked with converting an old new-user script that runs at least once a day written in VB to PowerShell. This script takes as input a CSV file we get from HR that has all necessary info and creates a user, adds them to specific groups based on
the info in the CSV, enables their Exchange mailbox, and creates their home directory. I'm having a bit of trouble planning out the rights assignment part on the user home directory; I need to be able to add the specific user (set by variable at the beginning
of the script) and three static groups. What is the best way to do that? I can easily grab outside modules if needed (a section of my script checks for and if necessary installs modules and adds snap-ins), but I'd rather keep this 100% PowerShell - no icacls
or outside commands.
Any suggestions?
Thank you in advance.
[email protected]Here's what I came up with for the File System Stuff:
foreach ($user in $userlist)
$samaccountname = $user.empid
$FQN = "domain\" + $samaccountname
$homedirpath = "\\fileserver\users\$samaccountname"
new-item -ItemType directory -path $homedirpath -force
#Set ACLs for user and required groups
$homedir_acl = get-acl $homedirpath
$acl_access1 = 'domain\HomeDirectory Admins'
$acl_access2 = "domain\$samaccountname"
$fullrights = "Fullcontrol"
$modifyrights = "Modify"
$inheritrights = "ContainerInherit,ObjectInherit"
$rule1 = new-object system.security.accesscontrol.filesystemaccessrule ($acl_access1, $fullrights, $inheritrights, "none", "Allow")
$rule2 = new-object system.security.accesscontrol.filesystemaccessrule ($acl_access2, $modifyrights, $inheritrights, "none", "Allow")
$homedir_acl.addAccessRule($rule1)
set-acl $homedirpath $homedir_acl
$homedir_acl.addAccessRule($rule2)
set-acl $homedirpath $homedir_acl
#Set owner on home directory
$owner = New-Object System.Security.Principal.NTAccount($FQN)
$homedir_acl.setowner($owner)
set-acl $homedirpath $homedir_acl
[email protected] -
So, not sure if this is actually a PowerShell issue or a simple lack of understanding of permissions on my part. So, when you look at permissions manually you have some base permissions; Modify, Read & Execute, Read, Write, etc. You also have Special
Permissions, like Full Control and Read Attributes.
I have a script that is pushing out changed permissions, and
Get-ACL $Target | Format-List
gives me what looks to be correct permissions. But if, for example, I do
$ACRights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
I would expect to see Read and Write in the basic permissions via the UI, and what I get in Special permissions only, and some that I didn't expect, but that are related, like Read Attributes. So, am I actually getting the results I should, and because I
am applying this via ACL it's all Special permissions? Or is there some other mechanism for setting simple Read & Write permissions?
Also, my need here is to make just a few files and folders available to users in ProgramData in an office where IT has generally locked down ProgramData (which then breaks functionality of some Autodesk products this year). Autodesk suggested manually setting
the required permissions for All Users on the files and folders, but my sense is that using Authenticated Users would be better, because it limits the permissions a bit. Or is the Authenticated Users group an old concept, and there is a better practice here?
I wouldn't be surprised if the same technique needs to be used on some Program Files folders, as Autodesk basically works form the assumption that everyone is a Local Admin, which is just insanity in my book and I would rather target specific files for access
rather than throwing the gates open as Autodesk wants.
Thanks!
GordonIt's probably showing up as "Special" because the access control entry isn't set to apply to sub folders and files. Container objects (folders, registry keys, AD objects, and WMI namespaces) need their ACEs to apply to their children as well in order for
them to not show up as "special". Here's how to create an ACE that gives Read and Write permissions that apply to a folder, its sub folders (ContainerInherit), and sub files (ObjectInherit):
New-Object System.Security.AccessControl.FileSystemAccessRule (
"Authenticated Users",
"Read, Write", # Access enumeration string/numeric value
"ContainerInherit, ObjectInherit", # InheritanceFlags (apply to sub folders and files)
"None", # PropagationFlags (None simply means that this will apply to the object)
"Allow" # ACE type
The reason you're seeing more rights than you expect is because "Read" is actually multiple specific access rights being combined (specifically list directory, read extended attributes, read attributes, and read permissions). To see that it translates
to more than one right, you can convert it to binary:
[convert]::ToString([System.Security.AccessControl.FileSystemRights]::Read.value__, 2)
Notice that more than one bit is set. If you want to see what each of those bits means, you can use this function:
function TranslateRights {
param(
$Rights = "Read",
[Type] $Enumeration = [System.Security.AccessControl.FileSystemRights],
[switch] $ListAll
# Files/folders use the same enumeration, and the numeric access masks can mean slightly different things, e.g.,
# bit 0 set means list directory for a folder or read data for a file. For that reason, it helps to have a collection
# of the different meanings:
$GroupedRights = @{}
[enum]::GetNames($Enumeration) | ForEach-Object {
$IntValue = [int] ($_ -as $Enumeration)
# Only interested in numbers that are powers of 2
if ($IntValue -band ($IntValue - 1)) { return }
if ($GroupedRights.ContainsKey($IntValue)) {
$GroupedRights.$IntValue += $_
else {
$GroupedRights.$IntValue = @($_)
$GroupedRights.GetEnumerator() | sort Name | ForEach-Object {
if ($_.Name -band ($Rights -as $Enumeration)) {
$Granted = $true
else {
$Granted = $false
$RightsString = $_.Value -join " / "
if ($ListAll) {
[PSCustomObject] @{
Bit = [System.Math]::Log($_.Name, 2)
Rights = $RightsString
Granted = $Granted
elseif ($Granted) {
$RightsString
And you could use it like this:
TranslateRights -Rights Modify
TranslateRights -Rights Modify -ListAll
TranslateRights -Rights ReadKey -Enumeration ([System.Security.AccessControl.RegistryRights]) -ListAll -
Are page creators / owners affected by approval process
I have a user who has created a page. The approval process for a page is setup so a content administrator approves content. However when the page creater adds an item to the page, it does not seem to go through the approval process. Is this a bug?
Orlando Kelly
Cayman Islands GovernmentWell, the user has to be hiding in there somewhere. How did the user have the access rights to create the page in the first place? They either have to be in a top level portal administration group or have manage rights on the page group level. Both of these will have to be removed
1) Check what groups the user is in by editing the user and scrolling down to the Exisiting Group membership section towards the bottom. Check for membership in DBA, PORTAL_ADMINISTRATION, etc. If any of those are listed, edit the corresponding group and remove that user from the group
2) Edit the page group properties and check what access rights the user has on the page group level. If listed with anything higher than view, remove the user
3) Check the page properties on the specific page in question and verify what access the user has on the page. It should be MANAGE ITEMS WITH APPROVAL
Rgds/Mark M. -
Greetings all,
I am needing assistance in how to lockdown access to Local Computer Management and Windows Backup via Group Policy for users that access RDS service. I have followed this awesome guide - h t t p://w w w.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
- but it is missing two important resources that I would like to lock down.Currently, I have successfully locked down Control Panel for users via Group Policy, but I cannot find any group policy or guide on how to restrict user access
to Computer Management (different to Server Manager). When using Win-X shortcut to open the 'Administrator's shortcuts' near the windows icon, I have locked down everything except Computer Management. Computer Management gives direct access to Disk Management,
Shares etc, which are locked down for users. But Windows Server Backup is still accessible. Can someone please guide me on how to restrict access to both Computer Management and Windows Server Backup.
Thanks in advance.
Terry.Prevent running of Windows Server Backup
Computer Configuration\Policies\Windows Settings\Security Settings\File System
Right click on File System - Add File - Drill down to \System32\wbadmin.msc
On the Database Security ACL that pops up - Remove Creator Owner, Remove Users and check Adminstrators have Full Access.
On the Object window - choose Propagate inheritable permissions to all... (Default) -
Could you pls explain the "Get-Acl C:/Windows | fl" output?
Could you pls explain the "Get-Acl C:/Windows | fl" output? There are some nos. what are those indicate?
PS C:\> Get-Acl C:/Windows | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows
Owner : NT SERVICE\TrustedInstaller
Group : NT SERVICE\TrustedInstaller
Access : CREATOR OWNER Allow 268435456
NT AUTHORITY\SYSTEM Allow 268435456
NT AUTHORITY\SYSTEM Allow Modify, Synchronize
BUILTIN\Administrators Allow 268435456
BUILTIN\Administrators Allow Modify, Synchronize
BUILTIN\Users Allow -1610612736
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow 268435456
NT SERVICE\TrustedInstaller Allow FullControl
Audit :
Sddl : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-185
3292631-2271478464D:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;
BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271
478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
AliahMurfyThose numbers are
generic access rights.
The string representation of the access rights come from the FileSystemRights enumeration. Generic rights aren't included in that enumeration, so they show up as the numeric value. You can look up the generic mappings for lots of different objects on MSDN.
The 3.0 beta of
my access control module will translate generic access rights for lots of different objects, including files and folders. Here is a screenshot showing the generic rights being translated for a registry key (HKLM:\SOFTWARE) and a folder (C:\Windows):
The helper function that does the translation is temporarily accessible in the beta version. It is called New-AdaptedAcl. You can play around with it to get a better idea of what's going on (but this command will be private before the final 3.0 version is
released). Here's a screenshot of the helper function in action (the first command does no translation, it just gives a string representation of the numeric access mask; the second command does translation, but it doesn't merge similar ACEs with each other): -
How to Parse this XML File and require below mentioned value as output using powershell script
Need values for below as an output for below xml file so help me with the script:
Under Criteria Tag-
TimeStamp Display Value
OID corresponding to display value for nodes "Criterion"
Under Report Body Tag--
name in Report Section and OID value
<?xml version="1.0" encoding="UTF-8"?>
<ReportOutput>
<ReportHead>
<Report name="Execution Action" type="detailedchanges_rpt">
<Description></Description>
</Report>
<Criteria>
<TimestampCriterion name="date" displayvalue="08/10/14 23:08">
<Timestamp displayvalue="08/10/14 23:08">1412780929000</Timestamp>
</TimestampCriterion>
<MatchCriterion name="approvalId" displayvalue="Not applied" operator="contains" />
<MatchCriterion name="promotionComment" displayvalue="Not applied" operator="contains" />
<SelectCriterion name="changeWindow" displayvalue="Not applied" />
<SelectCriterion name="auditEvents" displayvalue="(Any)">
<String>auditEventAny</String>
</SelectCriterion>
<SelectCriterion name="attributeDisplay" displayvalue="Changed attributes">
<String>changed</String>
</SelectCriterion>
<SelectCriterion name="versionCompare" displayvalue="Version with current baseline">
<String>disabled</String>
</SelectCriterion>
<BooleanCriterion name="showContentDiff" displayvalue="No">
<Boolean value="false" />
</BooleanCriterion>
<BooleanCriterion name="displayUsers" displayvalue="No">
<Boolean value="false" />
</BooleanCriterion>
<BooleanCriterion name="displayPackages" displayvalue="No">
<Boolean value="false" />
</BooleanCriterion>
<BooleanCriterion name="displayCustomProperties" displayvalue="No">
<Boolean value="false" />
</BooleanCriterion>
<BooleanCriterion name="strictPackageMatch" displayvalue="No">
<Boolean value="false" />
</BooleanCriterion>
<BooleanCriterion name="displayCriteriaAtEnd" displayvalue="No">
<Boolean value="false" />
</BooleanCriterion>
<SelectCriterion name="elementExists" displayvalue="Not applied" />
<IntegerCriterion name="maxLinesPerBlock" displayvalue="10">
<Integer>10</Integer>
</IntegerCriterion>
<NodesCriterion name="nodes" displayvalue="TripwireENT.demo.net">
<OID>-1y2p0ij32e8bw:-1y2p0ij32e7cu</OID>
</NodesCriterion>
<MatchCriterion name="nodeName" displayvalue="Not applied" operator="contains" />
<CustomPropertiesCriterion name="nodeProps" displayvalue="Not applied" />
<RulesCriterion name="rules" displayvalue="Critical System Files">
<OID>-1y2p0ij32e7q2:-1y2p0ij31snh6</OID>
</RulesCriterion>
<MatchCriterion name="ruleName" displayvalue="Not applied" operator="contains" />
<MatchCriterion name="elementName" displayvalue="Not applied" operator="contains" />
<CustomPropertiesCriterion name="elementProps" displayvalue="Not applied" />
<CustomPropertiesCriterion name="versionProps" displayvalue="Not applied" />
<AttributesCriterion name="attributes" displayvalue="Not applied">
<Integer name=".missingImpliesFailure">1</Integer>
</AttributesCriterion>
<ContentCriterion name="content" displayvalue="Not applied" />
<MatchCriterion name="auditEventUserName" displayvalue="Not applied" operator="contains" />
<IntegerCriterion name="changeType" displayvalue="Added, Modified, Removed">
<Integer>7</Integer>
</IntegerCriterion>
<SeverityRangeCriterion name="severity" displayvalue="1 - 10000">
<Integer name="min">1</Integer>
<Integer name="max">10000</Integer>
</SeverityRangeCriterion>
<BooleanCriterion name="currentVersionsOnly" displayvalue="Yes">
<Boolean value="true" />
</BooleanCriterion>
<TimeRangeCriterion name="timeRange" displayvalue="All time" />
<PackagesCriterion name="packages" displayvalue="Not applied" />
<SortCriterion name="sortNodes" displayvalue="Name, ascending" isascending="true">
<String>name</String>
</SortCriterion>
<SortCriterion name="sortRules" displayvalue="Name, ascending" isascending="true">
<String>name</String>
</SortCriterion>
<SortCriterion name="sortElements" displayvalue="Name, ascending" isascending="true">
<String>name</String>
</SortCriterion>
<SortCriterion name="sortVersions" displayvalue="Date, descending" isascending="false">
<String>date</String>
</SortCriterion>
</Criteria>
</ReportHead>
<ReportBody>
<ReportSection name="TripwireENT.demo.net" category="node">
<OID>-1y2p0ij32e8bw:-1y2p0ij32e7cu</OID>
<String name="typeName">Windows Server</String>
<ReportSection name="Critical System Files" category="rule">
<OID>-1y2p0ij32e7q2:-1y2p0ij31snh6</OID>
<String name="typeName">Windows File System Rule</String>
<ReportSection name="C:\Temp" category="element">
<OID>-1y2p0ij32e8dr:-1y2p0ij32e586</OID>
<ReportSection name="08/10/14 22:48" category="version">
<OID>-1y2p0ij32e8du:-1y2p0ij32e3ho</OID>
<Integer name="changeType">1</Integer>
<String name="changeTypeName">Added</String>
<Integer name="severity">10000</Integer>
<String name="severityName">High</String>
<Timestamp name="changeTime" displayvalue="08/10/14 22:48">1412779682000</Timestamp>
<String name="approvalId"></String>
<ReportSection name="attributes" category="attributes">
<ReportSection name="DACL" category="added">
<String name="observed">Inherits Entries: true
NT AUTHORITY\SYSTEM, Access Allowed:
Standard rights:
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Delete
Read Control
Write DAC
Write Owner
Synchronize
Specific rights:
Full Control
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Directory Delete Child
Read Permissions
Change Permissions
Take Ownership
Header flags:
Object Inherit
Container Inherit
Inherited
BUILTIN\Administrators, Access Allowed:
Standard rights:
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Delete
Read Control
Write DAC
Write Owner
Synchronize
Specific rights:
Full Control
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Directory Delete Child
Read Permissions
Change Permissions
Take Ownership
Header flags:
Object Inherit
Container Inherit
Inherited
BUILTIN\Users, Access Allowed:
Standard rights:
Read & Execute
List Folder Contents
Read
Read Control
Synchronize
Specific rights:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions
Header flags:
Object Inherit
Container Inherit
Inherited
BUILTIN\Users, Access Allowed:
Specific rights:
Create Folders / Append Data
Header flags:
Container Inherit
Inherited
BUILTIN\Users, Access Allowed:
Specific rights:
Create Files / Write Data
Header flags:
Container Inherit
Inherited
CREATOR OWNER, Access Allowed:
Generic rights:
Generic All
Specific rights:
Full Control
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Directory Delete Child
Read Permissions
Change Permissions
Take Ownership
Header flags:
Object Inherit
Container Inherit
Inherit Only
Inherited
</String>
</ReportSection>
<ReportSection name="Group" category="added">
<String name="observed">TRIPWIREENT\None</String>
</ReportSection>
<ReportSection name="Owner" category="added">
<String name="observed">BUILTIN\Administrators</String>
</ReportSection>
<ReportSection name="Read-Only" category="added">
<String name="observed">false</String>
</ReportSection>
<ReportSection name="SACL" category="added">
<String name="observed">(null)</String>
</ReportSection>
<ReportSection name="Type" category="added">
<String name="observed">Directory</String>
</ReportSection>
</ReportSection>
</ReportSection>
</ReportSection>
<ReportSection name="C:\Windows\System32\drivers\etc\hosts" category="element">
<OID>-1y2p0ij32e8dr:-1y2p0ij32e4kp</OID>
<ReportSection name="08/10/14 23:08" category="version">
<OID>-1y2p0ij32e8du:-1y2p0ij32e3hk</OID>
<Integer name="changeType">2</Integer>
<String name="changeTypeName">Modified</String>
<Integer name="severity">10000</Integer>
<String name="severityName">High</String>
<Timestamp name="changeTime" displayvalue="08/10/14 23:08">1412780929000</Timestamp>
<String name="approvalId"></String>
<ReportSection name="attributes" category="attributes">
<ReportSection name="SHA-1" category="modified">
<String name="expected">de375d8a456a7345323babee88975ca567a2d5c4</String>
<String name="observed">3c5520382f91cb1cd898fee2da4eba3fa338d982</String>
</ReportSection>
<ReportSection name="Size" category="modified">
<String name="expected">829</String>
<String name="observed">854</String>
</ReportSection>
</ReportSection>
</ReportSection>
</ReportSection>
</ReportSection>
</ReportSection>
<ReportSection name="reportTotals" category="reportTotals">
<Integer name="summary.nodeCount">1</Integer>
<Integer name="summary.ruleCount">1</Integer>
<Integer name="summary.elementCount">2</Integer>
</ReportSection>
</ReportBody>
</ReportOutput>Hi Ritehere,
I know this is simple but am beginner in Powershell Script so I was looking for logic to go through however the output you provided is not what i am looking for and your script is too complicated, as under timestamp i wanted display value and correspoding
to display value the OID name and then name value correspoding to that OID. May be u got it wrong.
Thanks anyways. -
Access rights , privileges on XML DB
Hello,
I would like to know where can I find information about implementing security and access rights. I have 5 folders under SCOTT/TIGER schema and would like to asign access rights to different user , ie user A can access folder A only, user B can see folder A & Folder B , so on so .
I will appreciate your help.
Thanks
Syed.I did and here is the result
1 select r.res.getClobVal()
2 from resource_view r
3* where equals_path(res,'/home/SCOTT')=1
SQL> /
R.RES.GETCLOBVAL()
<Resource xmlns="http://xmlns.oracle.com/xdb/XDBResource.xsd" Hidden="false" Inv
alid="false" Container="true" CustomRslv="false" VersionHistory="false" StickyRe
f="true">
<CreationDate>2003-09-11T15:53:42.672000</CreationDate>
<ModificationDate>2003-10-01T09:08:15.456000</ModificationDate>
<DisplayName>SCOTT</DisplayName>
<Language>en-US</Language>
<CharacterSet>UTF-8</CharacterSet>
<ContentType>text/plain</ContentType>
<RefCount>1</RefCount>
<ACL>
R.RES.GETCLOBVAL()
<acl description="Protected:Readable by PUBLIC and all privileges to OWNER"
xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:" xmlns:xsi="http://w
ww.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/x
db/acl.xsd http://xmlns.oracle.com/xdb/acl.xsd">
<ace>
<principal>dav:owner</principal>
<grant>true</grant>
<privilege>
<all/>
</privilege>
</ace>
R.RES.GETCLOBVAL()
<ace>
<principal>XDBADMIN</principal>
<grant>true</grant>
<privilege>
<all/>
</privilege>
</ace>
<ace>
<principal>PUBLIC</principal>
<grant>true</grant>
<privilege>
R.RES.GETCLOBVAL()
<read-properties/>
<read-contents/>
<read-acl/>
<resolve/>
</privilege>
</ace>
</acl>
</ACL>
<Owner>SCOTT</Owner>
<Creator>SYS</Creator>
<LastModifier>SCOTT</LastModifier>
R.RES.GETCLOBVAL()
</Resource>
and for /home/SCOTT/1999
SQL> select r.res.getClobVal()
2 from resource_view r
3 where equals_path(res,'/home/SCOTT/1999')=1;
R.RES.GETCLOBVAL()
<Resource xmlns="http://xmlns.oracle.com/xdb/XDBResource.xsd" Hidden="false" Inv
alid="false" Container="true" CustomRslv="false" VersionHistory="false" StickyRe
f="true">
<CreationDate>2003-09-25T11:56:18.910000</CreationDate>
<ModificationDate>2003-09-25T11:56:21.023000</ModificationDate>
<DisplayName>1999</DisplayName>
<Language>en-US</Language>
<CharacterSet>WINDOWS-1252</CharacterSet>
<ContentType>application/octet-stream</ContentType>
<RefCount>1</RefCount>
<ACL>
R.RES.GETCLOBVAL()
<acl description="Private:All privileges to OWNER only and not accessible to
others" xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:" xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.ora
cle.com/xdb/acl.xsd http://xmlns.oracle.com/xdb/acl.xs
d">
<ace>
<principal>dav:owner</principal>
<grant>true</grant>
<privilege>
<all/>
</privilege>
R.RES.GETCLOBVAL()
</ace>
</acl>
</ACL>
<Owner>SCOTT</Owner>
<Creator>SCOTT</Creator>
<LastModifier>SCOTT</LastModifier>
</Resource>
===========================End====================
Hope this helped.
Syed -
Solved - How to take ownership and change permissions for blocked files and folders in Powershell
Hello,
I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
I was not able to find any information about someone successfully using native PS to resolve the issue. As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
Problem:
Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
PS C:\> Get-Acl -path F:\testpath\locked
Get-Acl : Attempted to perform an unauthorized operation.
+ get-acl <<<< -path F:\testpath\locked
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
If you create a new ACL and attempt to apply it using Set-Acl, you get:
PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:8
+ Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
+ CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
TonyHello,
Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
Example: Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
#Script to Reset MyDocuments Folder permissions
$domainName = ([ADSI]'').name
Import-Module "PSCX" -ErrorAction Stop
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
#Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$Directorypath = "F:\Userpath" #locked user folders exist under here
$LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
Foreach ($Locked in $LockedDirs) {
Write-Host "Resetting Permissions for "$Locked.Fullname
#######Take Ownership of the root directory
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
$Locked.SetAccessControl($blankdirAcl)
###################### Setup & apply correct folder permissions to the root user folder
#Using recommendation from Ned Pyle's Ask Directory Services blog:
#Automatic creation of user folders for home, roaming profile and redirected folders.
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
$DirACL = New-Object System.Security.AccessControl.DirectorySecurity
#Administrators: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
#System: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
#Creator Owner: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
#Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
#$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
#Remove Inheritance from the root user folder
$DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#Set permissions on User Directory
Set-Acl -aclObject $DirACL -path $Locked.Fullname
Write-Host "commencer" -NoNewLine
##############Restore admin access & then restore file/folder inheritance on all subitems
#create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
#$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
$subFileACL = New-Object System.Security.AccessControl.FileSecurity
$subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
$subFileACL.SetOwner($NewOwner)
$subDirACL.SetOwner($NewOwner)
######## Enable inheritance ($False) and not copy of parent ACLs ($False)
$subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
$subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#####loop through subitems
$subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
foreach ($subitem in $subdirs) {
#take ownership to insure ability to change permissions
#Then set desired ACL
if ($subitem.Attributes -match "Directory") {
# New, blank Directory ACL with only Owner set
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankdirAcl)
#At this point, Administrators have the ability to change the directory permissions
Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
} Else {
# New, blank File ACL with only Owner set
$blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
$blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankfileAcl)
#At this point, Administrators have the ability to change the file permissions
Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
Write-Host "." -NoNewline
Write-Host "fin."
Write-Host "Script Complete."
I hope you find this useful.
Thank you,
Tony
Final Thought: There are great non-PS tools like
Set-Acl and takeown which are external to PS & can also do the job wonderfully. It may be much simpler to call those tools than recreate the wheel in pure
code. Feel free to use whatever best suits your time, scope & cost. -
Read Only for all but creator of original file
I need to accomplish the following:
The goal is for us all to have access to read all the files associated with the audit. Only person posting the file should be able to modify it.
Would this be:
Everyone: Read/Write/Create
Owner: Modify/Delete
As right now they all can read/write/delete any document they would like.Ah, I see. I'll clarify: you're supposed to set these permissions on the topmost folder
where your users are supposed to create files:
This folder and subfolders:
Everyone - Read and Execute, Create files
Files only:
Everyone - Read and Execute
CREATOR OWNER - Modify
The end result is that users can create files in that folder and all its subfolders - they cannot create folders, but they can read everything. Now, when a user creates a
file in this folder structure, that user and that user only will automatically get Modify on that particular file (the CREATOR OWNER permission is translated to that user account in the ACL).
An example:
Let's say your topmost folder is D:\Data\Users. You apply the above permissions to
this folder. Then, a user with the account name YOURDOMAIN\User1 comes along and creates the file "MyTasks.txt" in this folder. That file will then have the following permissions:
Everyone - Read & Execute
YOURDOMAIN\User1 - Modify
As you can see, there is no need for any special groups. Try it out! -
Access Denied for User with Contribute Rights to a SP list
I have two users that I have given Contribute Rights on a SharePoint 2010 site - the SP list in question is inheriting permissions from the Parent site, as well as other lists in the site. These two users can edit items in the all other lists on the
site except for this one in question.
It is only one list that they cannot view or edit list items. They can view the items in the list, but when they try to open an item in display or edit form, it gives the access denied.
Other users on the site are NOT having these issues - with the same permissions.
I researched this problem and have tried various solutions with no luck. I have checked to see that there are NO item level permissions set up; I have deleted the user from the site collection, then added them back, with no luck.
I am at a loss on what to do.
Please helpTimestamp Process
TID Area Category
EventID Level Message Correlation
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg4 Verbose Groups for process identity 'DOMAIN\spadmin': 'DOMAIN\Domain Users', 'Everyone', 'SHAREPOINT\WSS_ADMIN_WPG', 'SHAREPOINT\WSS_RESTRICTED_WPG_V4', 'SHAREPOINT\WSS_WPG', 'BUILTIN\IIS_IUSRS', 'BUILTIN\Performance Monitor Users', 'BUILTIN\Users',
'BUILTIN\Administrators', 'NT AUTHORITY\SERVICE', 'CONSOLE LOGON', 'NT AUTHORITY\Authenticated Users', 'NT AUTHORITY\This Organization', 'NT SERVICE\SPTimerV4', 'LOCAL', 'DOMAIN\Group Policy Creator Owners', 'DOMAIN\Department_Schedules_ReadWrite', 'DOMAIN\Sage50_ReadWrite',
'DOMAIN\GrainCleaners_ReadWrite', 'DOMAIN\Domain Admins', 'DOMAIN\IT Department', 'DOMAIN\RDP_Users', 'DOMAIN\Engineering_ReadWrite', 'DOMAIN\Inventory_ReadWrite', 'DOMAIN\Schema Admins', 'DOMAIN\FabTrol', 'DOMAIN\Enterprise Admins', 'DOMAIN\Software', 'DOMAIN\Denied
RODC Password Replication Group', 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg1 High Group WSS_WPG... 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: DOMAIN\spadmin 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: NT AUTHORITY\LOCAL SERVICE 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: DOMAIN\spservice 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: DOMAIN\SearchSvc 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: DOMAIN\spContent 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: DOMAIN\WebAnalProcessSvc 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: DOMAIN\svcAppPoolSecure 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_WPG: NT AUTHORITY\SYSTEM 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg1 High Group WSS_ADMIN_WPG... 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_ADMIN_WPG: BUILTIN\Administrators 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_ADMIN_WPG: DOMAIN\spadmin 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:41:06.17 OWSTIMER.EXE (0x01E4) 0x0AD0 SharePoint Server Search Administration
dmg2 High Group WSS_ADMIN_WPG: DOMAIN\rawtecadmin 17e8c7b4-fa35-4040-ac83-fe55f721590d
03/11/2014 10:50:15.56 w3wp.exe (0x0098) 0x19B8 SharePoint Foundation
Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:https://portal.emw.ca:443/ehs/Lists/InvestigationReports/DispForm.aspx?ID=40&Source=https%3A%2F%2Fportal%2Eemw%2Eca%2Fehs%2FLists%2FInvestigationReports%2FMyInvestigations%2Easpx&ContentTypeId=0x0100E352DB580E29424FB1C52A1D93E09345&IsDlg=1)).
Execution Time=115.2334 0c90a46f-e4ea-46b5-a566-e7a9f404c0aa
03/11/2014 10:50:15.66 w3wp.exe (0x0098) 0x16CC SharePoint Foundation
Monitoring nasq Medium Entering monitored scope (Request (GET:https://portal.emw.ca:443/ehs/_layouts/AccessDenied.aspx?Source=https%3A%2F%2Fportal%2Eemw%2Eca%2Fehs%2FLists%2FInvestigationReports%2FDispForm%2Easpx%3FID%3D40%26Source%3Dhttps%253A%252F%252Fportal%252Eemw%252Eca%252Fehs%252FLists%252FInvestigationReports%252FMyInvestigations%252Easpx%26ContentTypeId%3D0x0100E352DB580E29424FB1C52A1D93E09345%26IsDlg%3D1&Type=list&name=%7BD3F44F01%2DC738%2D409A%2DA491%2DDD0F905CC83B%7D&IsDlg=1))
03/11/2014 10:50:15.66 w3wp.exe (0x0098) 0x16CC SharePoint Foundation
Logging Correlation Data xmnv Medium Name=Request (GET:https://portal.emw.ca:443/ehs/_layouts/AccessDenied.aspx?Source=https%3A%2F%2Fportal%2Eemw%2Eca%2Fehs%2FLists%2FInvestigationReports%2FDispForm%2Easpx%3FID%3D40%26Source%3Dhttps%253A%252F%252Fportal%252Eemw%252Eca%252Fehs%252FLists%252FInvestigationReports%252FMyInvestigations%252Easpx%26ContentTypeId%3D0x0100E352DB580E29424FB1C52A1D93E09345%26IsDlg%3D1&Type=list&name=%7BD3F44F01%2DC738%2D409A%2DA491%2DDD0F905CC83B%7D&IsDlg=1) 9446cae0-8ef5-4ffa-aad8-798d3139a2e7 -
Resource view ACLs not updating [removed: duplicate post]
Removed.
An excellent suggestion and one I was just checking myself: results are NOT positive
SQL> conn TEST/TEST
Connected.
SQL> select extract(res, '/Resource/Owner') owner
from resource_view
where any_path='/home/test/test-doc.xml'; 2 3
OWNER
<Owner xmlns="http://xmlns.oracle.com/xdb/XDBResource.xsd">TEST</Owner>
SQL> select dbms_xdb.getprivileges('/home/test/test-doc.xml').getclobval() granted_privileges from dual;
GRANTED_PRIVILEGES
<privilege xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:xsi="http://www.w3.
org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl
.xsd http://xmlns.oracle.com/xdb/acl.xsd DAV: http://xmlns.oracle.com/xdb/dav.xs
d" xmlns:xdbacl="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:">
<read-properties/>
<read-contents/>
<update/>
<link/>
<unlink/>
<read-acl/>
<write-acl-ref/>
<update-acl/>
<resolve/>
<link-to/>
<unlink-from/>
<dav:lock/>
<dav:unlock/>
</privilege>
Everything checks out so far, but here's the really strange one:
SQL> select dbms_xdb.aclcheckprivileges(
2 '/home/test/test-doc.xml',
3 'TEST',
4 xmltype('<privilege xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="dav:">
5 <read-contents/>
6 <read-properties/>
7 </privilege>'))as has_privileges
8 from dual;
HAS_PRIVILEGES
0
Basically this is saying that the owner, 'TEST', does not have permissions which he most obviously does! WTH?
I'll look into raising a TAR but I have to say that this is SO disappointing. -
Removing modify/sync NTFS permissions using removeaccessruleall in Powershell
Hi,
I've got a script together which removes all non-inherited groups from a user's home folder. It's working fine until I run into groups which have modify/sync permission. Even though I'm using the removeaccessruleall permission, those groups just don't
remove. I've attached the code I'm using below and I can provide the full script if needed.
$objAccessRule1 = New-Object System.Security.AccessControl.FileSystemAccessRule($strAccount,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$objACL.RemoveAccessRuleAll($objAccessRule1)
I'd appreciate any insight anyone can provide.
Cheers,
Ed Narayan
Hi Rohn,
Still no luck. The modify/sync permission still remains. Here's my code:
import-module activedirectory
$StrInvocation = (Get-Variable MyInvocation).Value
$strRunDir = Split-Path $StrInvocation.MyCommand.Path
$strDate = get-date -format "dd-MMM-yyyy-HHmm"
# Set everyone to list folder contents - this folder only and remove extra groups on folder
function phase1
$strSharePath = $args[0]
$objACL = Get-Acl $strSharePath
# Define permissions
$strPermission1 = "Everyone","ListDirectory","None","None","Allow"
# Attach permissions to access rules
$objAccessRule1 = New-Object System.Security.AccessControl.FileSystemAccessRule $strPermission1
# Attach access rules to ACL object
$objACL.SetAccessRule($objAccessRule1)
$objACL.PurgeAccessRules([System.Security.Principal.NTAccount]"AccountAdmins")
$objACL.PurgeAccessRules([System.Security.Principal.NTAccount]"SHR-MDRIVE")
$objACL.PurgeAccessRules([System.Security.Principal.NTAccount]"SYSTEM")
# Set access rules on ACL object
Set-Acl $strSharePath $objACL
# For each folder processed, turn on inheritance if it's off, remove orphaned acls and non-inherited groups
function phase2
[CmdletBinding()]
Param([Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
[string]$strFolder)
PROCESS{
# Set variables
$strLog = "$strRunDir\Logs\log-$strDate.txt"
$arrGroups = @()
$objACEs = @()
$objACL = get-acl $strFolder
$objACEs = $objACL.Access | Where-Object {!$_.IsInherited} | select-object IdentityReference -unique
[bool]$blnIsInherit = [bool](get-inheritance $strFolder | select-object -expandproperty inheritanceenabled)
[bool]$blnGroupExists = $false
$objChildObjects = Get-ChildItem $strFolder -recurse
write-output "`n" | Out-file $strLog -append
write-output "FOLDER:$strFolder `n" | Out-file $strLog -append
write-output "Inheritance enabled - $blnIsInherit `n" | Out-file $strLog -append
# If inheritance is turned off, enable it
if(!$blnIsInherit)
write-output "Enabling inheritance for $strFolder`n" | Out-file $strLog -append
$objACL.SetAccessRuleProtection($False, $True)
# If non-inherited permissions exist, process each of them
if(($objACEs| Measure-Object).Count -gt 0)
foreach($objACE in $objACEs)
[bool]$blnIsGroup = $false
[string]$strAccount = $objACE.IdentityReference
if($strAccount -like "*\*")
$arrSplit = $strAccount.split("\")
$strAccount= $arrSplit[1]
# Check if permission is for a group
$blnIsGroup = [bool](get-adgroup $strAccount -erroraction silentlycontinue)
# If permission is for a group, create an acl entry for removing it. Multiple remove entries can be created depending on the number of groups found
if($blnIsGroup)
Write-output "Removing:$strAccount`n" | Out-file $strLog -append
$objACL.PurgeAccessRules([System.Security.Principal.NTAccount]$strAccount)
if($strAccount-like "*SYSTEM*" -or $strAccount-like "*CREATOR OWNER*" -or $strAccount-like "*USERS*" -or $strAccount-like "*Administrators*" -or $strAccount-like "*S-1-5-*")
Write-output "Removing:$strAccount`n" | Out-file $strLog -append
$objACL.PurgeAccessRules([System.Security.Principal.NTAccount]$strAccount)
Set-acl $strFolder $objACL
Phase 1 changes the everyone group to list folder contents on this folder only and removes a bunch of groups from the root folder.
Phase 2 removes all orphaned sids and non-inherited groups from the folder and turns on inheritance if it's turned off.
At this stage, this feels like a bug within the ACL cmdlets.
Cheers,
Ed -
How to determine the owner of the current package ?
From a package (that is defined with invoker's rights: AUTHID CURRENT_USER) I want to determine the owner of that package. (We plan to deploy the same code into multiple schemas.)
One approach would be to parse the results of DBMS_UTILITY.format_call_stack . . . any other ideas?
Thanks,
Mikemtefft wrote:
We are using Total Recall aka Flashback Data Archive.
If you have a Flashback Data Archive on a table, you can not drop it without removing the archive, and to do that you need ADMINISTER FLASHBACK ARCHIVE privilege. We want to give users the ability to remove the flashback archive (this is an ALTER TABLE) from their own tables without granting that privilege.
So, we have a utilty schema which has this privilege. We created a definer-rights package to issue the alter, but it does not have ALTER ANY TABLE privilege. So, we added an invoker-rights package that the table-owner can call. This first issues GRANT ALTER ON [input-table-name] TO itself, then calls the definer-rights package, which now has both the system privilege and the object privilege needed. Why not just create a procedure owned by an "admin" user that does the alter table and grant execute on the proc to the utility schema ?
As an example with scott and sys (using sys in a real-world system would be a Bad Idea© but I'm on a playground database on my laptop) :
As Scott :Scott@my11g SQL>!cat createTable.sql
create table mytable (
id integer,
val varchar2(30),
constraint mytable_pk primary key(id)
Scott@my11g SQL>@createTable
Table created.As admin user :Sys@my11g SQL>!cat startFlashback.sql
alter table scott.mytable flashback archive fl_archive;
Sys@my11g SQL>alter table scott.mytable flashback archive fl_archive;
Table altered.
Sys@my11g SQL>select * from dba_flashback_archive_tables;
TABLE_NAME OWNER_NAME FLASHBACK_ARCHIVE_NAME
ARCHIVE_TABLE_NAME STATUS
MYTABLE SCOTT FL_ARCHIVE
SYS_FBA_HIST_79498 ENABLEDAs admin user, I create the procedure and grant execute to scott :Sys@my11g SQL>!cat createProc.sql
create or replace procedure remove_flarch(
p_tabname varchar2
is
l_strcmd varchar2(200);
begin
for cur in (
select owner, table_name from dba_tables where owner=user and table_name=upper(p_tabname)
) loop
l_strcmd := 'alter table '||cur.owner||'.'||cur.table_name||' no flashback archive' ;
execute immediate l_strcmd ;
end loop;
end;
sho err
grant execute on remove_flarch to scott;
Sys@my11g SQL>@createProc.sql
Procedure created.
No errors.
Grant succeeded.As Scott I cannot disable the flashback archive explicitly :Scott@my11g SQL>alter table mytable no flashback archive ;
alter table mytable no flashback archive
ERROR at line 1:
ORA-55620: No privilege to use Flashback ArchiveBut I can do it using the procedure :Scott@my11g SQL>begin
2 sys.remove_flarch('MYTABLE');
3 end;
4 /
PL/SQL procedure successfully completed.Checking from admin point of view :Sys@my11g SQL>select * from dba_flashback_archive_tables;
no rows selected
mtefft wrote:All is well, except for the fact that we want to deploy this under multiple schemas. So we need to know 'to whom should the ALTER TABLE grant be given?'Just grant execute on the procedure to your different users.
Maybe you are looking for
-
Can I have help please?
-
SDK 3.0: Compiler bug with std::deque?
When I call std::deque::assign(), I get all kinds of compile-time errors, including internal compiler errors. Note, however, that this happens only when I compile for the 3.0 device. It does not happen when I compile for the 3.0 simulator, 2.x device
-
Speakers compatible with classic
After reading the discussion about the problems people are having with the camera connector not being compatible with the classic I am now wondering if speakers designed for use with ipods like the logic3 ones are compatible or not. I plugged a £5 se
-
I have been unable to sync my ipad, iPhone or I touch since the iOS update....help!
I have been unable to sync my ipad, iPhone or itouch since iOS update need help!
-
Coverting a 8 x 11 pdf to a 6 x 9 pdf for publishing
I have a EPUB pdf which is 8 x 11. I need to convert it to 6 x 9 so I can use it to publish it on Amazon's CreateSpace and Kindle Demand Print. How do I do this?