Unable to determine effective permissions

Sep 17, 2014 at 1:14 PM
Very handy code but I am unable to obtain effective permissions on remote file systems. I have tried using URL and mapped drives but it always returns no permission.
Works great on local drives
Coordinator
Oct 23, 2014 at 9:16 AM
Edited Oct 23, 2014 at 9:16 AM
Hi,

Getting the effective access on a remote system works in my case, however with limitations:
PS C:\Users\Administrator> Get-Item '\\contosodc1\c$\ClassicShell.exe' | Get-EffectiveAccess -Account contoso\dev

    Path: \\contosodc1\c$\ClassicShell.exe (Inheritance disabled)


Account                             Access Rights  Applies to                Type           IsInherited   InheritedFrom
-------                             -------------  ----------                ----           -----------   -------------
CONTOSO\dev                         ReadAndExec... ThisFolderOnly            Allow          False
I am working on a machine in the Contoso domain and requesting the effective access from a DC in a child domain. However this does not work when specifying an account of another domain.

There seem to be some limitations with the GetEffectiveRightsFromAcl function. GetEffectiveRightsFromAcl states:
A trustee's group rights are enumerated by GetEffectiveRightsFromAcl on the local computer, even if the trustee is accessing objects on a remote computer. This function does not evaluate group rights on remote computers.
I am going to rewrite the stuff using the AuthZ API. That would be part of the next release.

Thanks,
Raimund
Marked as answer by raandree on 11/13/2014 at 6:48 AM