(imported topic written by SystemAdmin)
I am trying to develop relevance to be able to check permissions of certain files/folders to ensure only authorized users have elevated access. I’d like to stick to comparing “effective access mode,” instead of querying each permission separately. I’d like to have it output each entry on the DACL that has access mode greater than what is specified. Here’s an example:
Folder: C:\test
Access Mode: 1179817
Here’s what I came up with, it outputs the access modes, but without the account names associated with them:
effective access modes for ((account names of trustees of entries of dacls of security descriptors of folder “c:\test”) as string) of dacls of security descriptors of folder “c:\test”
How can I do an if
access mode > 1179817
then
account name,access mode
else
compliant
?