Remove From My Forums

Powershell - Get-ACL

Question
0

Sign in to vote

I've been poking around the web trying to put everything I think I understand together. Good resources out there, shout out to awesomeoman because I'm attempting to change a bit of his powershell to work for my needs.

For quick auditing purposes, I'm trying to figure folder permissions on specific directories. List users and groups. I got that far but now as I guessed, they also want the users in the groups. Here is what I have so far:

$Paths = Get-Content -Path "C:\Users\tango\Documents\listofdirectories.txt"

$Output = @()

foreach ($path in $paths)

    {

    write-host "Processing $path"

        Get-ACL "$Path" | Format-List -Property Path

            If ($? -eq $false)

                {write-host "FOUND ERROR for $Path"}

            Else

                {

                $ACLs = get-acl -path $path | select -expand access | where-object{$_.identityreference -notlike "*S-1-5-21-*"} | select IdentityReference,FileSystemRights

                foreach ($ACL in $ACLs)

                    {

                    $strObject = ($ACL.IdentityReference).ToString().split("\")[1]

                    $objResults = New-Object System.Object

                    $ACLobjectType = get-aduser $strObject | select -expand objectclass

                    if($ACLobjectType -eq "user")

                        {

                        $user = get-aduser $strObject -Properties * | Select SamAccountName,Displayname



                        $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value$user.samaccountname

                        $objResults | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $user.displayname

                        $objResults | Add-Member -MemberType NoteProperty -Name "Type" -Value$ACLobjectType

                        $objResults | Add-Member -MemberType NoteProperty -Name "Permission" -Value $ACL.FileSystemRights

                        $objResults | Add-Member -MemberType NoteProperty -Name "Path" -Value$path

                        $Output += $objResults

                        }

                    if($ACLobjectType -eq "group")

                        {

                        $member = Get-ADGroup $strObject -Properties * | Select SamAccountName

                        $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value$member.samaccountname

                        $objResults | Add-Member -MemberType NoteProperty -Name "Group" -Value$member.displayname

                        $objResults | Add-Member -MemberType NoteProperty -Name "Type" -Value$ACLobjectType

                        $objResults | Add-Member -MemberType NoteProperty -Name "Permission" -Value $ACL.FileSystemRights

                        $objResults | Add-Member -MemberType NoteProperty -Name "Path" -Value$path

                        $Output += $objResults

                        }

                    }

                }

    }

$output | export-csv .\list.csv -notype

My question is why is my if statement $ACLobjectType -eq "user" still listing groups as a user when I run this? And when does this it lists the previous user and the name and displayname. Total beginner at this, so any help would be appreciated.

Sunday, August 20, 2017 4:50 AM

All replies

Please do not post colorized code. Use the code posting tool.

Is this what you are trying to do?

$Paths = Get-Content C:\Users\tango\Documents\listofdirectories.txt
$results = foreach ($path in $paths) {
	write-host "Processing $path"	
	if(Test-Path $path){
		$acl = get-acl -path $path 
		foreach ($ace in $acl.Access) {
			$obj = Get-AUuser $ace.IdentityReference.Value.Split('\')[1] -Properties DisplayName,objectClass #'
			$obj | Add-Member -MemberType NoteProperty -Name Path -Value $path
			$obj | Add-Member -MemberType NoteProperty -Name FileSystemRights -Value $ace.FileSystemRights -PassThru
		}
	}
}

$results | export-csv .\list.csv -NoTypeInformation

\_(ツ)_/

Edited by jrv Sunday, August 20, 2017 5:16 AM

Sunday, August 20, 2017 5:12 AM

Here is how to quickly determine what type of account you have

$sid = $ace.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value
if('user' -in ([adsi]"LDAP://<SID=$sid>").objectClass){
	# code
}elseif ('group' -in ([adsi]"LDAP://<SID=$sid>").objectClass){
	# code
}else{
	# none of the above
}

\_(ツ)_/

Proposed as answer by Albert LingMicrosoft contingent staff Tuesday, September 12, 2017 6:12 AM

Sunday, August 20, 2017 5:34 AM

0

Sign in to vote

Sorry about the colors. I'll be sure to use the posting tool next time. I'll poke around your example. Thanks for the help. I was trying to figure out why I couldn't separate the users from the groups.

Sunday, August 20, 2017 5:47 AM
0

Sign in to vote

Simple answer ... "objectClass" is an array.

\_(ツ)_/

Sunday, August 20, 2017 5:55 AM

Thanks for your help. It got me going again. If I'm grasping all of this correctly, should I be using another array for the group membership results?

$Paths = Get-Content C:\Users\tango\Documents\listofdirectories.txt
$Output = @()
 
ForEach($Path in $Paths)
    {
    Write-Host "Processing $Path"
    If(Test-Path $Path)
        {
        $ACL = Get-ACL -Path $Path
        ForEach($ACE in $ACL.Access)
            {
                $SID = $ACE.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value
                $objResults = New-Object System.Object
 
                If('user' -in ([adsi]"LDAP://<SID=$SID>").objectclass)
                {
                $Results = Get-ADUser $ACE.IdentityReference.Value.Split("\")[1] -Properties * |Select DisplayName, SamAccountName
                $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value $Results.samaccountname
                $objResults | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $Results.displayname
                $objResults | Add-Member -MemberType NoteProperty -Name "Permission" -Value $ACE.FileSystemRights
                $objResults | Add-Member -MemberType NoteProperty -Name "Path" -Value $path
                }
                Elseif('group' -in ([adsi]"LDAP://<SID=$SID>").objectclass)
                {
                $Group = Get-ADGroupMember $ACE.IdentityReference.Value.Split("\")[2]

                ForEach($Member in $Group)
                    {
                    $Results = Get-ADUser $Group -Properties * | Select Displayname, Samaccountname
                    $objResults | Add-Member -MemberType NoteProperty -Name "Name" -Value $Results.samaccountname
                    $objResults | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $Results.displayname
                    $objResults | Add-Member -MemberType NoteProperty -Name "Group" -Value $group
                    }
                }
                Else
                {}
            $Output += $objResults
            }
        }
    }
 
$Output | Export-Csv .\list.csv -NoTypeInformation
$Output

Monday, August 21, 2017 2:46 AM

0

Sign in to vote

Hi,

Was your issue resolved?

And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

Appreciate for your feedback.

Best Regards,
Albert Ling
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, August 25, 2017 12:23 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

Powershell - Get-ACL

Question

All replies