My name is Rohn Edwards, and I’m a system administrator and PowerShell enthusiast.

  1. Serge says:

    Thanks a million Rohn for building that module. Saves so much time and effort. I’m trying out the Get-SecurityDescriptor functionality on Powershell 2.0 and so far so good – but ! ( there’s always one 😉 ) some SIDs aren’t recognized by the function. I’m trying it out remotely on a SQL server and the SQLServer..$… account SIDs aren’t translated. You can do a quick check with part of a script I presently use just to get the trustee list and compare with your function.
    gwmi win32_share -cn $sqlserver -filter “type=0” |select -exp name | %{gwmi -class win32_logicalsharesecuritysetting -computername $sqlserver -filter “name=’$_'”} |
    %{$shareName = $_.name ; $_.getsecuritydescriptor().descriptor.DACL }| %{$_.trustee.name}
    It might simply be a parameter that I’m not using or a filtering out of specific local accounts.
    Let me know.

    • Rohn Edwards says:

      Name translations for local accounts on remote systems do not currently work. I am working on this, though. The latest version has functions that will do SID->Account and Account->SID translations against remote computers. The account to SID works really well because you can put the account in the COMPUTERNAME\USERNAME form, and it works without having to change any other module internals. I’ve got some ideas that should fix what you’re describing, too (I’m guessing that it just shows the SID, correct)?

      I appreciate you using the module, and also letting me know that this issue is affecting you. Hopefully within the next few days I’ll have the next version posted, and hopefully I will have added the SID->Account translation for remote systems. I can tell you that the features that have already been implemented (I’m still testing) are pretty cool.

  2. Serge says:

    I realy do appreciate the process flow you’ve used in having taken the object types as a key element in parsing through the hex conversion and various other similar ‘handles’. It’s something I’ve never done (yet) and once you decipher it, it’s a satisfying ‘ha ha moment’. Yes just the “Account unknown SID” is shown. Thanks for the workaround and will surely check the updates.

  3. Geert says:

    Dear Rohn,

    What a fantastic tool you have created… Great for ntfs auditing!

    I only have one request… would it be possible to add another noteproperty: “inherited” to the get-effectiveaccess cmd-let?

    Kind regards,


    • Geert says:

      And to make it even more useable, a “-noinherited permissions” filter would make it the absolute best thing…

      • Rohn Edwards says:

        Get-EffectiveAccess isn’t really meant to show where access comes from. Its main purpose is to show what the true access is for a given user, after all group memberships and allow/deny ACEs have been taken into account.

        I think you might be looking for the functionality provided by the Get-AccessControlEntry function. It already has -Inherited and -NotInherited switch parameters, along with other parameters that allow filtering (you can filter on pretty much any ACE component).

        If you’ve already looked at the Get-AccessControlEntry and it’s not doing what you need, can you briefly describe what functionality you’re looking for.

        Thanks for using the module and providing feedback!

  4. AK says:

    Hello Rohn. I’m looking for sample code from your PS Summit 2016 presentation on PS Modules using Metaprogramming. Please let me know if it is available anywhere. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s