Get-Acl without inheritance

Todas as Respostas

• sexta-feira, 23 de janeiro de 2009 19:20Marco ShawMVP, Moderador

   
  

  0

  Entrar para Votar
  I think you can get this by looking at the SDDL value for a folder.  There may be easier ways, but I think this will work for you:

  1	$no_inh=get-acl .|foreach{$_.sddl}
  2	gci . -rec|where{$_.psiscontainer}|foreach{if(($_|get-acl|foreach{$_.sddl}) -eq $no_inh){$_.fullname}}

  On line 1, I move to a directory where I know inheritance has been removed.  I save the SDDL string to a variable.

  On line 2, I get the ACLs and SDDL for every directory, then compare the SDDL against my variable, if the SDDLs match, I have a directory without inheritance, and I print out the full directory name.

  [EDIT: I reread your post.  I think I've missed the point.  Please provide feedback.]
  

  • EditadoMarco ShawMVP, Moderadorsábado, 24 de janeiro de 2009 1:39feedback needed
  • Sugerido como RespostaMervyn ZhangMSFT, Moderadorsegunda-feira, 26 de janeiro de 2009 6:38
  • Marcado como RespostaMervyn ZhangMSFT, Moderadorquinta-feira, 29 de janeiro de 2009 3:43
  • Não Sugerido como RespostaMervyn ZhangMSFT, Moderadorsegunda-feira, 26 de janeiro de 2009 6:38
  • Sugerido como RespostaMarco ShawMVP, Moderadorsexta-feira, 23 de janeiro de 2009 19:21
  •  
  • Responder
  • Citação

   
• domingo, 1 de fevereiro de 2009 18:38dmdamen

   
  

  0

  Entrar para Votar
  The line of code below will show you all file names that have explicit security set.
  
  get-childitem -recurse | where-object {$_.mode -match "d"} | %{$file=$_;get-acl $($_.FullName)} | %{$_.GetAccessRules($True,$False,[Security.Principal.SecurityIdentifier]) | %{write-host "$($file.FullName) has explicit security set"}}
  

  • Sugerido como Respostadmdamen domingo, 1 de fevereiro de 2009 18:39
  •  
  • Responder
  • Citação

   
• sexta-feira, 19 de junho de 2009 18:14Scott Meilicke

   
  

  0

  Entrar para Votar
  I know this thread is quite old, but here is how I did this. Keep in mind I am quite new to powershell, so I like to spell things out. I would be interested in techniques to speed this up. if ($args.length -ne 2) { "This script takes exactly two arguments, in this order: file for output, a path to analyze" } else { $path = $args[1] $outPutFile = $args[0] $startDate = Get-Date #Build information for the header of the output file. `r`n is a carrage return/line feed. $header = "Start: " + $startDate + "`r`n" + "Output file: " + $outPutFile + "`r`n" + "Path analyzed: " + $path + "`r`n" out-file -encoding ASCII -filePath $outPutFile -append -InputObject $header # Get all directories, not files, get their ACLs, and stuff them into a variable ($dirs). $dirs = Get-ChildItem $path -Recurse -Force | ? { $_.GetType() -like 'System.IO.DirectoryInfo'} | get-ACL Foreach ($dir in $dirs) { Foreach ($Access in $dir.Access) { $Inherited = [string]$Access.IsInherited if ($Inherited -eq "False") { $pathPieces = $dir.Path.split(":") $output = $PathPieces[2] + ":" + $pathPieces[3] + ", " + $Access.IdentityReference + ", " + $Access.FileSystemRights out-file -encoding ASCII -filePath $outPutFile -append -InputObject $output } } } $endDate = Get-Date $elapsedTime = $endDate - $startDate $footer = "`r`nRun completed at: " + $endDate + "`r`n" + "Elapsed Time:`r`n" + $elapsedTime + "`r`n" out-file -encoding ASCII -filePath $outPutFile -append -InputObject $footer } -Scott

  
  

  EDIT - shoot, sorry for the crappy word wrapping.
  • Responder
  • Citação

   
• quinta-feira, 15 de outubro de 2009 14:34cbreaker

   
  

  0

  Entrar para Votar
  Hi Scott,
  
  I can't seem to get your example to work.    I'm really no powershell programmer and I think I have the wrapping all wrong.  Since powershell uses CRLF's to seperate commands (against say Bash) when it's all on one big line it won't run.
  
  Any help?
  
  • Responder
  • Citação

   
• quinta-feira, 15 de outubro de 2009 14:35cbreaker

   
  

  0

  Entrar para Votar
  Replying to myself to enable e-mail notification..
  • Responder
  • Citação

   
• quinta-feira, 15 de outubro de 2009 14:51Marco ShawMVP, Moderador

   
  

  0

  Entrar para Votar
  I'll fix up the code in the next 24 hours and post it as a script, and that should help...
  
  • Responder
  • Citação

   
• sexta-feira, 16 de outubro de 2009 10:07Marco ShawMVP, Moderador

   
  

  0

  Entrar para Votar
  I think this is fixed up properly.  I haven't tested it yet:
  
  

  if ($args.length -ne 2) { 
    "This script takes exactly two arguments, in this order: file for output, a path to analyze" 
  } 
  else { 
    $path = $args[1] 
    $outPutFile = $args[0] 
    $startDate = Get-Date 
    #Build information for the header of the output file. `r`n is a carrage return/line feed. 
    $header = "Start: " + $startDate + "`r`n" + "Output file: " + $outPutFile + "`r`n" + "Path analyzed: " + $path + "`r`n" 
    out-file -encoding ASCII -filePath $outPutFile -append -InputObject $header 
    # Get all directories, not files, get their ACLs, and stuff them into a variable ($dirs). 
    $dirs = Get-ChildItem $path -Recurse -Force | ? { $_.GetType() -like 'System.IO.DirectoryInfo'} | get-ACL 
    Foreach ($dir in $dirs) { 
      Foreach ($Access in $dir.Access) { 
        $Inherited = [string]$Access.IsInherited 
        if ($Inherited -eq "False") { 
          $pathPieces = $dir.Path.split(":") 
          $output = $PathPieces[2] + ":" + $pathPieces[3] + ", " + $Access.IdentityReference + ", " + $Access.FileSystemRights 
          out-file -encoding ASCII -filePath $outPutFile -append -InputObject $output 
        } 
      } 
    } 
    $endDate = Get-Date 
    $elapsedTime = $endDate - $startDate 
    $footer = "`r`nRun completed at: " + $endDate + "`r`n" + "Elapsed Time:`r`n" + $elapsedTime + "`r`n" 
    out-file -encoding ASCII -filePath $outPutFile -append -InputObject $footer 
  }
  

  • Responder
  • Citação