locked
Retrieving a List of ACLs in a Folder Tree RRS feed

  • Question

  • Hello,

    I need the help of powershell experts.

    It is required to get an access control list (ACL) for the folder tree, excluding some accounts such as Bullitin \ Administrators, NT AUTORITY \ SYSTEM, CREATOR OWNER, etc. the task is complicated by the fact that the path length for some folders exceeds 256 characters. I found 2 scripts that completely solve this problem, but could not combine them into one.

    1. getting ACL from the folder tree (does not work with long paths)

    $AllFolders = Get-ChildItem -Directory -Path "d:\tmp" -Recurse -Force
    $Results = @()
    Foreach ($Folder in $AllFolders) {
        $Acl = Get-Acl -Path $Folder.FullName
        foreach ($Access in $acl.Access) {
            if ($Access.IdentityReference -notlike "BUILTIN\Администраторы" -and $Access.IdentityReference -notlike "domain\Domain Admins" -and $Access.IdentityReference -notlike "CREATOR OWNER" -and $access.IdentityReference -notlike "NT AUTHORITY\СИСТЕМА") {
                $Properties = [ordered]@{'FolderName'=$Folder.FullName;'AD Group'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
                $Results += New-Object -TypeName PSObject -Property $Properties
            }
        }
    }
    
    $Results  | Export-Csv -path "d:\Permissions - $(Get-Date -format MMyy).csv"
    
    

    2. Obtaining ACLs from the folder tree (includes file information and garbage records)

    #Define Source Path
    $SourcePath = "D:\tmp"
    
    #$LogFile = "C:\Temp\Logs\ACLInfo_Source_$((Get-Date).ToString("yyyy-MM-dd ddd_hhmm")).csv"
    $LogFile = "d:\ACLInfo_Source_.csv"
    
    function GetAcls
    {
    param ( [String]$Path, [string]$FPath=$null )
    $JPath = "c:\Temp\SL"
    #
    $JPath = $Env:temp + "\SL"
    $Results = @()
    
    if ( $FPath.length -eq 0 ) { $FPath = $Path }
    if ( $path.toLower().StartsWith($JPath.toLower() ) ) { $Jpath = ([System.IO.DirectoryInfo]$path).parent.fullname }
    
    $JPath = $JPath + '1'
    #
    Write-Host ">Creating Link  $jpath <==> $path"
    cmd /c "mklink /d `"$Jpath`" `"$Path`"" > $null
    
    if (Test-Path $JPath ) {
    
    ForEach ($folder in (dir $JPath | Where { $_.PSIsContainer })) {
        ForEach ($acl in (Get-Acl $folder.fullname )) {
    ForEach ( $ace in $acl.access ) {
        $Results += New-Object PSObject -Property @{
    Path
      = $Fpath + "\" + $folder.name
    Owner
      = $acl.Owner
    FileSystemRights  = $ace.FileSystemRights
    AccessControlType = $ace.AccessControlType
    IdentityReference = $ace.IdentityReference
    IsInherited       = $ace.IsInherited
    InheritanceFlags  = $ace.InheritanceFlags
    PropagationFlags  = $ace.PropagationFlags
        } # Properties for result PSO
    } # ForEach ace
        } # ForEach acl
    } # ForEach Folder
    
    $Results
    } # Test-path
    
    dir $Jpath | where { $_.PsIsContainer } | % { GetAcls -Path $($_.FullName) -FPath ($FPath +"\" + $_.name) }
    #
    Write-Host "<Removing       $jPath"
    cmd /c "rd $jPath"
    }
    
    GetAcls -Path $SourcePath| Select Path, Owner, IdentityReference, FileSystemRights, AccessControlType, IsInherited, InheritanceFlags, PropagationFlags | Export-Csv $LogFile -NoTypeInformation -Encoding unicode


    I would be grateful for the help.


    • Edited by Gleb666 Monday, February 10, 2020 8:47 AM
    Friday, February 7, 2020 12:59 PM

Answers

  • This module is really well done: https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

    I tested it and it really does what it needs to.

    • Marked as answer by Gleb666 Monday, February 10, 2020 12:00 PM
    Friday, February 7, 2020 1:04 PM
  • The following is the correct way to solve your problem:

    https://betanews.com/2016/05/29/long-paths-windows-10/


    \_(ツ)_/


    • Edited by jrv Friday, February 7, 2020 1:10 PM
    • Marked as answer by Gleb666 Monday, February 10, 2020 8:50 AM
    Friday, February 7, 2020 1:10 PM

All replies