none
Powershell Filter For Active Directory Groups Only. RRS feed

  • Question

  • I am trying to automate a network wide (about 2.4 million folders) search for those folders, what Active Directory groups have access to them, and what type of access that is.

    I have code that does the above, but it does it for every item on the folders, except the ones that I filter out with code such as:
        $ACLs = Get-Acl $Folder.FullName |
        ForEach-Object {$_.Access} |
        Where {$_.IdentityReference -notlike "*BUILTIN*" -and $_.IdentityReference -notlike "*NT AUTHORITY*"}

    There are more in my list of "Where" statements, and this works ok, but I would like to only show Groups, and not User accounts.

    Some testing script I've started for checking one folder is as follows:
        (Get-Acl "\\Server\FilePath").Access |
        Select-Object FileSystemRights,AccessControlType,IdentityRefernece
        Where {$_.IdentityReference -notlike "*BUILTIN*" -and $_.IdentityReference -notlike "*NT AUTHORITY*"}

    This gives me a list of Users and Groups, along with their access to that folder.

    My question is: How do I filter out for only showing Groups for this kind of folder permission information gathering?

    Sunday, August 10, 2014 11:59 PM

Answers

  • Hi Scott,

    Try this:

    # This lists users and groups:
    (Get-Acl $FileName).Access |
        Where-Object {$_.IdentityReference -notlike "*BUILTIN*" -and $_.IdentityReference -notlike "*NT AUTHORITY*"} |
            Select  FileSystemRights, AccessControlType, IdentityReference |
                FT -AutoSize
    
    #This lists users only:
    (Get-Acl $FileName).Access |
        Where-Object {$_.IdentityReference -notlike "*BUILTIN*" -and $_.IdentityReference -notlike "*NT AUTHORITY*" -and (dsquery user -samid $_.IdentityReference.Value.Split("\")[1])} |
            Select  FileSystemRights, AccessControlType, IdentityReference |
                FT -AutoSize


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

    Monday, August 11, 2014 1:23 AM

All replies

  • You have to individually test every identity to see if it is a local object, Domain object then retrieve the object and check if it is a group.

    I recommend that you just return the identities to a collect.  When that is done run a filtering pass.  It will be faster and less prone to failure.

    If this is important I recommend obtaining a file audit program which would be much faster and more flexible.


    ¯\_(ツ)_/¯

    Monday, August 11, 2014 12:40 AM
  • For 2.4 million folders, I'd start by collecting the SDDL strings, then build a hash table of the domain group SIDs and start searching the SDDL strings for those SIDs.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Monday, August 11, 2014 1:09 AM
    Moderator
  • Hi Scott,

    Try this:

    # This lists users and groups:
    (Get-Acl $FileName).Access |
        Where-Object {$_.IdentityReference -notlike "*BUILTIN*" -and $_.IdentityReference -notlike "*NT AUTHORITY*"} |
            Select  FileSystemRights, AccessControlType, IdentityReference |
                FT -AutoSize
    
    #This lists users only:
    (Get-Acl $FileName).Access |
        Where-Object {$_.IdentityReference -notlike "*BUILTIN*" -and $_.IdentityReference -notlike "*NT AUTHORITY*" -and (dsquery user -samid $_.IdentityReference.Value.Split("\")[1])} |
            Select  FileSystemRights, AccessControlType, IdentityReference |
                FT -AutoSize


    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

    Monday, August 11, 2014 1:23 AM
  • For 2.4 million folders, I'd start by collecting the SDDL strings, then build a hash table of the domain group SIDs and start searching the SDDL strings for those SIDs.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Now that is  good idea except "Access" does not show an SDDL.  You could use ICACLS or WMI to grab the SDDL.


    ¯\_(ツ)_/¯

    Monday, August 11, 2014 1:27 AM
  • Perfect and nice and simple! I was actually after "Groups", but I changed the "dsquery user" to "dsquery group", and out came the groups only.

    Thank you so much, this has had me stuck for 2 days.

    Monday, August 11, 2014 1:28 AM
  • Very cool solution.

    It might be faster to use Get-ADGroup -Filter "SAMAccountNAme -eq '$($_.IdentityReference)'"


    ¯\_(ツ)_/¯

    Monday, August 11, 2014 1:33 AM
  • For 2.4 million folders, I'd start by collecting the SDDL strings, then build a hash table of the domain group SIDs and start searching the SDDL strings for those SIDs.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Now that is  good idea except "Access" does not show an SDDL.  You could use ICACLS or WMI to grab the SDDL.


    ¯\_(ツ)_/¯

    Ahem.

    $ACLs = Get-Acl $Folder.FullName |
        ForEach-Object {$_.SDDL} 

    All the permission information for the folder is in that string.  

    I'd bet with those strings and a few good regexes you could have those results a lot faster then you can iterate through all the ACEs in those Access lists.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    Monday, August 11, 2014 1:42 AM
    Moderator