effective permissions for domain group always return 'None'

Jun 11, 2014 at 11:19 AM
Hello,
I use FSS module to collect permissions on a series of directories.
For local objects and domain users it works great.
But when passing domain group it always returns 'None' even when ACE is applied directly without inheritance.
Image
Coordinator
Oct 23, 2014 at 9:13 AM
Hi,

I have just tested this with version 3 of NTFSSecurity. It does works:
PS C:\> Get-Item .\inetpub | Get-EffectiveAccess -Account Contoso\Dev


    Path: C:\inetpub (Inheritance disabled)


Account                             Access Rights                 Applies to                Type                          IsInherited                  InheritedFrom
-------                             -------------                 ----------                ----                          -----------                  -------------
CONTOSO\dev                         ReadAndExecute, Synchronize   ThisFolderOnly            Allow                         False


PS C:\> Get-Item .\inetpub | Get-EffectiveAccess -Account Child\a877777


    Path: C:\inetpub (Inheritance disabled)


Account                             Access Rights                 Applies to                Type                          IsInherited                  InheritedFrom
-------                             -------------                 ----------                ----                          -----------                  -------------
CHILD\a877777                       None                          ThisFolderOnly            Allow                         False


PS C:\> Get-Item .\inetpub | Add-Access -Account child\a877777 -AccessRights ReadAndExecute
PS C:\> Get-Item .\inetpub | Get-EffectiveAccess -Account Child\a877777


    Path: C:\inetpub (Inheritance disabled)


Account                             Access Rights                 Applies to                Type                          IsInherited                  InheritedFrom
-------                             -------------                 ----------                ----                          -----------                  -------------
CHILD\a877777                       ReadAndExecute, Synchronize   ThisFolderOnly            Allow                         False
Can you please try to test it again with version 3?

Thanks,
Raimund
Oct 23, 2014 at 12:55 PM
Hello,
I still get the same output:
Image
Coordinator
Oct 23, 2014 at 12:57 PM
Thanks for the update. Are the machine you are running the command on and the account IT-GLB-SOE-IIS in the same domain?
Oct 23, 2014 at 1:18 PM
Confirm
Nov 3, 2014 at 10:09 AM
Hello, here's little update to the topic

Scenario
Permission directly applied to directory (like in the picture form previous message)

Get-EffetctiveAccess ... - returns None access rights
Get-ACE ... - returns correct value
Coordinator
Nov 4, 2014 at 9:37 AM
Hi,

I have just uploaded version 3.1. Can you please try reading the effective again? Now the cmdlet uses AuthzAccessCheck instead of GetEffectiveRightsFromAcl. The AuthzAccessCheck function also supports calculating the effective permissions on a remote machine. Use the ServerName parameter for that.

Thanks,
Raimund
Marked as answer by raandree on 11/4/2014 at 2:58 AM
Nov 4, 2014 at 10:11 AM
Looks like we have a winner :)
Thanks
Jan 8, 2015 at 7:55 AM
Hi again, I thinkg something is broken again with effective permissions. I'm not sure what is this warning pointing to
Image