Starrett2005
asked on
Powershell limits
I'm trying to run a file system security audit on a W2k3 file server with a Powershell2.0 script, I've ran into a few problems:
1) I can't seem to log Folder permissions if my Domain Admin account doesn't have permission to the folder/file.
2) There appears to be a path limit of 260.
I'm using a script found here: http://jfrmilner.wordpress.com/2011/05/01/audit-ntfs-permissions-powershell-script/#comment-43
Is there a way to run a powershell script with "System" level or "Backup" level permissions to get by any directory access problem.
Is there a directory path limit in Powershell?
Thanks
Errors:
Get-ChildItem : The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters,
and the directory name must be less than 248 characters.
At C:\cmd\Get-PathPermissions
+ $containers = Get-ChildItem <<<< -path $Path -Recurse -Force | ? {$_.psIscontainer -eq $true}
+ CategoryInfo : ReadError: (F:\GroupData…ation work data:String) [Get-ChildItem], PathTooLongException
+ FullyQualifiedErrorId : DirIOError,Microsoft.Power
Get-ChildItem : Access to the path 'F:\GroupData\Accounting\C
At C:\cmd\Get-PathPermissions
+ $containers = Get-ChildItem <<<< -path $Path -Recurse -Force | ? {$_.psIscontainer -eq $true}
+ CategoryInfo : PermissionDenied: (F:\GroupData…unting Archives:String) [Get-ChildItem], UnauthorizedAccessExcept
ion
+ FullyQualifiedErrorId : DirUnauthorizedAccessError
1) I can't seem to log Folder permissions if my Domain Admin account doesn't have permission to the folder/file.
2) There appears to be a path limit of 260.
I'm using a script found here: http://jfrmilner.wordpress.com/2011/05/01/audit-ntfs-permissions-powershell-script/#comment-43
Is there a way to run a powershell script with "System" level or "Backup" level permissions to get by any directory access problem.
Is there a directory path limit in Powershell?
Thanks
Errors:
Get-ChildItem : The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters,
and the directory name must be less than 248 characters.
At C:\cmd\Get-PathPermissions
+ $containers = Get-ChildItem <<<< -path $Path -Recurse -Force | ? {$_.psIscontainer -eq $true}
+ CategoryInfo : ReadError: (F:\GroupData…ation work data:String) [Get-ChildItem], PathTooLongException
+ FullyQualifiedErrorId : DirIOError,Microsoft.Power
Get-ChildItem : Access to the path 'F:\GroupData\Accounting\C
At C:\cmd\Get-PathPermissions
+ $containers = Get-ChildItem <<<< -path $Path -Recurse -Force | ? {$_.psIscontainer -eq $true}
+ CategoryInfo : PermissionDenied: (F:\GroupData…unting Archives:String) [Get-ChildItem], UnauthorizedAccessExcept
ion
+ FullyQualifiedErrorId : DirUnauthorizedAccessError
ASKER
MAXPATH:
I will try the \\?\ prefix and see if that works as described in: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx
Script access to ACL on Directories/Files:
I already run the script as a Domain Admin (which has the Backup Privilege) and get the posted access errors. I remember that the utility RoboCopy has a switch to run with backup privilege when access is denied. I'm trying to see if Powershell includes something similar.
I will try the \\?\ prefix and see if that works as described in: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx
Script access to ACL on Directories/Files:
I already run the script as a Domain Admin (which has the Backup Privilege) and get the posted access errors. I remember that the utility RoboCopy has a switch to run with backup privilege when access is denied. I'm trying to see if Powershell includes something similar.
robocopy will then use VSS to copy the files
ASKER
OK, that makes sense for Robocopy, but all backup software is somehow allowed to backup files even if the account scheduled to run the backup doesn't have access to the files interactively. Example: WindowsNT4.0 "ntbackup" app. There must be some way for the Powershell script to gain this access to pull ACL's off of Folder/File objects.
ASKER
So far I haven't had any luck with the MAXPATH. Is there any other method to pull acl's from directories that have not been granted access to?
no the security model won't allow this
ASKER
ve3ofa,
Is there a Microsoft post available that would state this. I need this to present to management before they aprove changing permissions on everything to allow an Admin account access so we can query ACL's appropriately.
Is there a Microsoft post available that would state this. I need this to present to management before they aprove changing permissions on everything to allow an Admin account access so we can query ACL's appropriately.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
This is a known problem, not all windows api's support more than the system MAXPATH of 260
Work Arounds
Is there a way to run a powershell script with "System" level or "Backup" level permissions to get by any directory access problem.
Is there a directory path limit in Powershell?
you could try starting powershell with a runas with a user that is a member of the backup operators group