none
Permissions on folder and sub-folders RRS feed

  • Question

  • I created a script for ntfs permissions report for required folder and sub-folders. And it's work ok.

    I'm getting result with all identities with permissions on folder. But ....

    When i got IdentityReference object, is there some simple way (flag, attribute) to identify is it:

    1. local or domain identity
    2. type of user or group

    Thanks in advance

    I forgot to tell if someone need it, no problem .....



    • Edited by zlocic Monday, March 7, 2016 12:51 PM
    Friday, March 4, 2016 9:29 AM

Answers

  • if(($identity -split '\\')[0] -eq 'MyDomain'){ 'its a domain account'}

    \_(ツ)_/

    • Marked as answer by zlocic Monday, March 7, 2016 4:28 PM
    Monday, March 7, 2016 1:08 PM

All replies

  • Why?

    -- Bill Stewart [Bill_Stewart]

    Friday, March 4, 2016 3:37 PM
    Moderator
  • Why what ?

    Friday, March 4, 2016 3:57 PM
  • Why do you need the information of whether the identity is local or domain or type of user or group?

    If you really need to know, you can search a domain using [ADSISearcher] to find out if account is a domain account and, if it is a group, the group type.


    -- Bill Stewart [Bill_Stewart]

    Friday, March 4, 2016 3:58 PM
    Moderator
  • $domain.$name=$identityreference -split '\\'
    Get-WmiObject Win32_Account -Filter "Name='$name' AND Domain='$domain'"

    Get the SID and test against machine or query a DC by adding computer name.  If it is not a domain account the query will be null.


    \_(ツ)_/

    Friday, March 4, 2016 6:45 PM
  • Thanks Bill...

    There is a two reasons.

    1. If it's a local group or account, i don't want to waste time and resources on server connection to DC and resolving sAMAccount to person name.
    2. If it is a domain group then i'll get memebers and resolve to person.

    As i said, it is permissions "Report" and customer has no idea who is "domain\x430a521" who has modify permission on some resources. Customer want real person. First name, Last name etc .....

    So, i want filter out local groups and accounts and put AD module in job just for domain ...... 


    • Edited by zlocic Monday, March 7, 2016 12:27 PM
    Monday, March 7, 2016 12:19 PM
  • Thaks jrv,

    but as i already said to Bill, i don't want to ping DC for every identity found in acls.
    Have to say that it is recursive task and folders structure can be real deep. Pinging DC for each identity could be expensive ....

    Monday, March 7, 2016 12:33 PM
  • if(($identity -split '\\')[0] -eq 'MyDomain'){ 'its a domain account'}

    \_(ツ)_/

    • Marked as answer by zlocic Monday, March 7, 2016 4:28 PM
    Monday, March 7, 2016 1:08 PM