Checking owner of SQL files

  • Shawn Melton

    SSC-Insane

    Points: 24675

    For those that work with miltary or any government agency you have to deal with DoD STIGs (basic security hardening of SQL Server installations). One of those checks is the ownership of all the DBMS and dependent application software and configuration files. Which it pretty much wants to see the installation account and/or the service account running SQL to own the files.

    I thought I could do it with PowerShell. Which I have gotten to a point where I'm stuck.

    This gives me the path and filename that I need in order to use this command to get the Owner:

    $path = 'T:\MSSQL'

    dir $path -Recurse | ft FullName

    This gets the owner:

    (Get-Acl 'T:\MSSQL\log\ERRORLOG').Owner

    Which I though something like this would work but it don't:

    dir $path -Recurse | ft FullName | ForEach-Object {(Get-Acl $_).Owner}

    I would also like to do something like this as well:

    dir $path -Recurse | ft FullName | ForEach-Object {(Get-Acl $_).Access | `

    ft FileSystemRights, AccessControlType, IdentityReference -AutoSize}

    According to help for Get-Acl it accepts System.String as an input.

    How can I go about changing the object returned in the "ft Fullname" to a string so that the ForEach-Object cmdlet will accept it?

    Or is there another way of doing it?

    Shawn Melton
    Twitter: @wsmelton
    Blog: wsmelton.github.com
    Github: wsmelton

  • Joie Andrew

    One Orange Chip

    Points: 27295

    dir $path -Recurse | ft FullName | ForEach-Object {(Get-Acl $_).Owner}

    I think this may not be working because foreach-object needs to reference an array object to work like foreach-object {<$object> in <$array>}

    I would also like to do something like this as well:

    dir $path -Recurse | ft FullName | ForEach-Object {(Get-Acl $_).Access | `ft FileSystemRights, AccessControlType, IdentityReference -AutoSize}

    According to help for Get-Acl it accepts System.String as an input.

    How can I go about changing the object returned in the "ft Fullname" to a string so that the ForEach-Object cmdlet will accept it?

    Or is there another way of doing it?

    Not sure if you're going to be able to do this with one command. You may have to run through every object in the foreach loop extracting the string property you need in a step of the loop and then pass that to get-acl.

    Joie Andrew
    "Since 1982"

  • Jeffrey Williams

    SSC Guru

    Points: 88545

    For the owner:

    PS> $path = 'T:\MSSQL'

    PS> Get-ChildItem $path -Recurse | % {(Get-Acl $_)} | Format-Table

    By default, that will get you the Path, Owner and Access. Not sure about the other values you are looking for. I am not sure where those would be coming from.

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

  • Jeffrey Williams

    SSC Guru

    Points: 88545

    Another option is:

    PS> Get-ChildItem $path -Recurse | % {$_.GetAccessControl()}

    Or, you can use an expression:

    PS> Get-ChildItem $path -Recurse | Format-Table FullName, @{Label="Owner";Expression={$_.GetAccessControl().Owner}}

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply