locked
Powershell - Get-ACL RRS feed

  • Question

  • I've been poking around the web trying to put everything I think I understand together. Good resources out there, shout out to awesomeoman because I'm attempting to change a bit of his powershell to work for my needs.

    For quick auditing purposes, I'm trying to figure folder permissions on specific directories. List users and groups. I got that far but now as I guessed, they also want the users in the groups. Here is what I have so far:

    $Paths = Get-Content -Path "C:\Users\tango\Documents\listofdirectories.txt"

    $Output = @()

     

    foreach ($path in $paths)

        {

        write-host "Processing $path"

     

            Get-ACL "$Path" | Format-List -Property Path

                If ($? -eq $false)

                    {write-host "FOUND ERROR for $Path"}

                Else

                    {

                    $ACLs = get-acl -path $path | select -expand access | where-object{$_.identityreference -notlike "*S-1-5-21-*"| select IdentityReference,FileSystemRights

     

                    foreach ($ACL in $ACLs)

                        {

                        $strObject = ($ACL.IdentityReference).ToString().split("\")[1]

                        $objResults = New-Object System.Object

     

                        $ACLobjectType = get-aduser $strObject | select -expand objectclass

                        if($ACLobjectType -eq "user")

                            {

                            $user = get-aduser $strObject -Properties * | Select SamAccountName,Displayname

     

                       

                            $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value$user.samaccountname

                            $objResults | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $user.displayname

                            $objResults | Add-Member -MemberType NoteProperty -Name "Type" -Value$ACLobjectType

                            $objResults | Add-Member -MemberType NoteProperty -Name "Permission" -Value $ACL.FileSystemRights

                            $objResults | Add-Member -MemberType NoteProperty -Name "Path" -Value$path

     

                            $Output += $objResults

                            }

                        if($ACLobjectType -eq "group")

                            {

                            $member = Get-ADGroup $strObject -Properties * | Select SamAccountName

     

                            $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value$member.samaccountname

                            $objResults | Add-Member -MemberType NoteProperty -Name "Group" -Value$member.displayname

                            $objResults | Add-Member -MemberType NoteProperty -Name "Type" -Value$ACLobjectType

                            $objResults | Add-Member -MemberType NoteProperty -Name "Permission" -Value $ACL.FileSystemRights

                            $objResults | Add-Member -MemberType NoteProperty -Name "Path" -Value$path

     

                            $Output += $objResults

                            }

                        }

                    }

        }

    $output | export-csv .\list.csv -notype

    My question is why is my if statement $ACLobjectType -eq "user" still listing groups as a user when I run this? And when does this it lists the previous user and the name and displayname. Total beginner at this, so any help would be appreciated.

    Sunday, August 20, 2017 4:50 AM

All replies

  • Please do not post colorized code.  Use the code posting tool.

    Is this what you are trying to do?

    $Paths = Get-Content C:\Users\tango\Documents\listofdirectories.txt
    $results = foreach ($path in $paths) {
    	write-host "Processing $path"	
    	if(Test-Path $path){
    		$acl = get-acl -path $path 
    		foreach ($ace in $acl.Access) {
    			$obj = Get-AUuser $ace.IdentityReference.Value.Split('\')[1] -Properties DisplayName,objectClass #'
    			$obj | Add-Member -MemberType NoteProperty -Name Path -Value $path
    			$obj | Add-Member -MemberType NoteProperty -Name FileSystemRights -Value $ace.FileSystemRights -PassThru
    		}
    	}
    }
    
    $results | export-csv .\list.csv -NoTypeInformation


    \_(ツ)_/







    • Edited by jrv Sunday, August 20, 2017 5:16 AM
    Sunday, August 20, 2017 5:12 AM
  • Here is how to quickly determine what type of account you have

    $sid = $ace.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value
    if('user' -in ([adsi]"LDAP://<SID=$sid>").objectClass){
    	# code
    }elseif ('group' -in ([adsi]"LDAP://<SID=$sid>").objectClass){
    	# code
    }else{
    	# none of the above
    }


    \_(ツ)_/

    Sunday, August 20, 2017 5:34 AM
  • Sorry about the colors. I'll be sure to use the posting tool next time. I'll poke around your example. Thanks for the help. I was trying to figure out why I couldn't separate the users from the groups.
    Sunday, August 20, 2017 5:47 AM
  • Simple answer ... "objectClass" is an array.


    \_(ツ)_/

    Sunday, August 20, 2017 5:55 AM
  • Thanks for your help. It got me going again. If I'm grasping all of this correctly, should I be using another array for the group membership results?

    $Paths = Get-Content C:\Users\tango\Documents\listofdirectories.txt $Output = @() ForEach($Path in $Paths) { Write-Host "Processing $Path" If(Test-Path $Path) { $ACL = Get-ACL -Path $Path ForEach($ACE in $ACL.Access) { $SID = $ACE.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value $objResults = New-Object System.Object If('user' -in ([adsi]"LDAP://<SID=$SID>").objectclass) { $Results = Get-ADUser $ACE.IdentityReference.Value.Split("\")[1] -Properties * |Select DisplayName, SamAccountName $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value $Results.samaccountname $objResults | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $Results.displayname $objResults | Add-Member -MemberType NoteProperty -Name "Permission" -Value $ACE.FileSystemRights $objResults | Add-Member -MemberType NoteProperty -Name "Path" -Value $path } Elseif('group' -in ([adsi]"LDAP://<SID=$SID>").objectclass) { $Group = Get-ADGroupMember $ACE.IdentityReference.Value.Split("\")[2] ForEach($Member in $Group) { $Results = Get-ADUser $Group -Properties * | Select Displayname, Samaccountname $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value $Results.samaccountname $objResults | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $Results.displayname $objResults | Add-Member -MemberType NoteProperty -Name "Group" -Value $group } } Else {} $Output += $objResults } } } $Output | Export-Csv .\list.csv -NoTypeInformation $Output

    Monday, August 21, 2017 2:46 AM
  • Hi,

    Was your issue resolved?

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 25, 2017 12:23 PM