Useful WMI(C) commands

Sometimes you need to run WMI queries on older Windows machines or in Preinstallation Environment (WinPE) environments. So with powershell its really easy, Get-WMIObject -Class win32_WhatYouWant. So now you are stuck without Powershell, lets use the old WMIC command instead. WMIC has been available from Windows 2003. [Read more…]

Incorrectly ordered NTFS ACEs?

I got a question today about a strange permissions problem one of their users was having. Even more strange when the checked the permissions on the folder they got the following:

The permissions on Sub_Directory are incorrectly ordered, which may cause some entries to be ineffective.

Well what is this? Microsoft has a few articles about things like this.

But since this was a users homedirectory we decided just to reset all the permissions on the users folder. [Read more…]

Playing with NTFS permissions

So if you need to see what the different parts mean look at my earlier post about icacls rights.

What is needed for

Allow users to create folders but not see all if Access Based Enumeration is enabled. Good for home folders.

Remove all rights for the SID for Authenticated users below and on all files / Folders below.

Grant the Creator fullcontrol of new folders

Icacls rights

These are the simple rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
N No Access None
F Full access Full Control
M Modify access Modify/ Read & Execute/ List folder contents/ Read
RX Read and execute access Read & Execute/ List folder contents/ Read
R Read-only access Read
W Write-only access Write
D Delete access Hidden under Special permissions

These are the specific rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
DE Delete Delete
RC Read control Read permissions
WDAC Write DAC Change permissions
WO Write owner Take ownership
S Synchronize ?
AS Access system security ?
MA Maximum allowed ?
GR Generic read List folder / Read data / List folder / Read data / Read extended attributs / Read permissions
GW Generic write Create files / Write data / Create folders / Append data / Write Attributes / Write extended attributes / Read Permissions
GE Generic execute Traverse folder / Execute file / Read Permissions
GA Generic all All Checked (Full control)
RD Read data/ List directory List Folder / Read data
WD Write data / Add file Create files / Write data
AD Append data / Add subdirectory Create folders / Append data
REA Read extended attributes Read extended attributes
WEA Write extended attributes Write extended attributes
X Execute / Traverse Traverse folder / Execute file
DC Delete child Delete subfolders and files
RA Read attributes Read attributes
WA Write attributes Write attributes

Inheritance

Short form Long Name
Short form Long Name
OI Object inherit
CI Container inherit
IO Inherit only
NP Dont propagate inherit
I permission inherited from parent container

So when you do simple rights in explorer it will select both OI and CI. Which means all files and folders and the current folder.

 

Moving a fileshare on the same server

So I saw a question on Social Technet and decided to answer it. So how do I move a server share from one drive to another in the same computer.

First we need to have the data on the new location. I prefer to use robocopy with a minimum of /E /COPYALL.

To make sure nobody changes the data during the final copy I suggest stopping the server service. So now the data is migrated, what about the share then. Since we know that to migrate shares between servers by dumping the registry, just changing the path is simple.

[Read more…]

Dumping shares from the registry

Most people know that dump all shares on a server to a .reg file to be able to add them to another server.

Where do Windows store all the shares?

Windows stores the share information in the registry.

Registry LanmanServer Shares

So how can I easily export the shares to a file

Im a powersheller, isnt there a cmdlet?

If you are fortunate enough to run Windows 2012 or later you have Get-SMBShare and Get-SmbShareAccess.

Get the shares back now then

If you have exported the share to a registry file. Well just reimport the regfile. And restart the Server service.

Well if you are running 2012 or later on both the origin and destination server you could build a simple script with New-CIMSession, Get-SMBShare, Get-SMBShareAccess and New-SMBShare.

UAC modified groups

So I was searching for which groups that User Access Control (UAC) removes from the default kerberos ticket. After alot of googling, and even reading the old UAC blog. So I decided to make the list myself. And not finding it I decided to build the list.

But first what is UAC?

UAC helps secure a system by removing some groups from the kerberos ticket used by Explorer.exe. When you run a program as Administrator it will run with the full kerberos ticket.

Which windows groups are removed from the default kerberos ticket? [Read more…]

Remove NTFS rights inheritance using Powershell

So I needed to remove the inheritance of a folder. Yes its easy to do with icacls, just icacls /inheritance:e|d|r. Where E is enable, D is copy all ACEs and R removes all inherited rights.
But this is about doing it with powershell. [Read more…]

Getting the MD5 or SHA1 of a file?

If you are running the latest version of windows you can use the new Cmdlet Get-FileHash. For all others Microsoft has a tool called Microsoft File Checksum Integrity Verifier or FCIV for short.

The cmdlet supports the following hashes.. SHA1,SHA256,SHA384,SHA512,MACTripleDES,MD5,RIPEMD160
The FCIV supports SHA1 and MD5.

Examples:

[Read more…]

Excel and Delete / Create file rights

So the regular reasons I get involved with excel are due to the fact I have a customer that one of the following:

  • The users should be able to edit but not delete any excel file.
  • The users should be able to edit but not create new excel files.
  • A report of something.

The last seems like the hardest, but neither of the first are possible at all. Both of these seem quite simple, just deny create file or the delete rights. But it’s not that simple. It has been tried more than once and been asked 1000 times on forums around the world. So what does really happen and why?

Excel will create a temporary file to make sure that the contents is ALWAYS on disk even if your computer fails during the save. Below is a more complete version of what happens. [Read more…]