[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Powershell limits

Posted on 2012-04-03
9
Medium Priority
?
2,162 Views
Last Modified: 2013-03-13
I'm trying to run a file system security audit on a W2k3 file server with a Powershell2.0 script, I've ran into a few problems:
1) I can't seem to log Folder permissions if my Domain Admin account doesn't have permission to the folder/file.
2) There appears to be a path limit of 260.
I'm using a script found here: http://jfrmilner.wordpress.com/2011/05/01/audit-ntfs-permissions-powershell-script/#comment-43

Is there a way to run a powershell script with "System" level or "Backup" level permissions to get by any directory access problem.
Is there a directory path limit in Powershell?
Thanks

Errors:
Get-ChildItem : The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters,
and the directory name must be less than 248 characters.
At C:\cmd\Get-PathPermissions.ps1:10 char:29
+ $containers = Get-ChildItem <<<< -path $Path -Recurse -Force | ? {$_.psIscontainer -eq $true}
+ CategoryInfo : ReadError: (F:\GroupData…ation work data:String) [Get-ChildItem], PathTooLongException
+ FullyQualifiedErrorId : DirIOError,Microsoft.PowerShell.Commands.GetChildItemCommand

Get-ChildItem : Access to the path 'F:\GroupData\Accounting\Cost Accounting Archives' is denied.
At C:\cmd\Get-PathPermissions.ps1:10 char:29
+ $containers = Get-ChildItem <<<< -path $Path -Recurse -Force | ? {$_.psIscontainer -eq $true}
+ CategoryInfo : PermissionDenied: (F:\GroupData…unting Archives:String) [Get-ChildItem], UnauthorizedAccessExcept
ion
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
0
Comment
Question by:Starrett2005
  • 5
  • 4
9 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 37805327
Maximum path 260
This is a known problem, not all windows api's support more than the system MAXPATH of 260
Work Arounds

Is there a way to run a powershell script with "System" level or "Backup" level permissions to get by any directory access problem.
Is there a directory path limit in Powershell?


you could try starting powershell with a runas with a user that is a member of the backup operators group
0
 

Author Comment

by:Starrett2005
ID: 37806047
MAXPATH:
I will try the \\?\ prefix and see if that works as described in: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx

Script access to ACL on Directories/Files:
I already run the script as a Domain Admin (which has the Backup Privilege) and get the posted access errors. I remember that the utility RoboCopy has a switch to run with backup privilege when access is denied.  I'm trying to see if Powershell includes something similar.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 37806120
robocopy will then use VSS to copy the files
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:Starrett2005
ID: 37806166
OK, that makes sense for Robocopy, but all backup software is somehow allowed to backup files even if the account scheduled to run the backup doesn't have access to the files interactively. Example: WindowsNT4.0 "ntbackup" app.  There must be some way for the Powershell script to gain this access to pull ACL's off of Folder/File objects.
0
 

Author Comment

by:Starrett2005
ID: 37825019
So far I haven't had any luck with the MAXPATH. Is there any other method to pull acl's from directories that have not been granted access to?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 37825218
no the security model won't allow this
0
 

Author Comment

by:Starrett2005
ID: 37827317
ve3ofa,

Is there a Microsoft post available that would state this.  I need this to present to management before they aprove changing permissions on everything to allow an Admin account access so we can query ACL's appropriately.
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 37827928
If you can't access it via explorer then you can't access it via powershell, it is that simple NTFS file permissions. http://technet.microsoft.com/en-us/library/cc785144%28v=ws.10%29.aspx
0
 

Author Closing Comment

by:Starrett2005
ID: 38981444
Thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question