none
Powershell Script to list ACLS on Folders and Expand any AD groups to show its members.

    Question

  • Hi  I'm a novice when it comes to powershell and was hoping someone would be able to help.

    I'm tring to get a script together to list the ACLS on folders on our network and pipe them out into a csv. I know the following starting script will show all the ACLS and what permissions are given.

    get-acl c:\temp\test | format-list   

    However i need to expand any AD groups that have been given access in order to show the users within this AD group.  Currently it will show individual users and AD groups that have permission but it wont expand the AD groups to show which users are members.  I've serached about the web for  while but can't find any commands that will do this.

    I supposed i need to know if it is even possible within powershell to do this expansion of AD groups?

    Monday, September 26, 2011 2:15 PM

Answers

  • You're asking for recursive AD group member enumeration.  The following bit of code is not recursive, but it will return the first level of results.  I'm leaving it up to you to use it to develop a recursive function.

    FYI, this code assumes that you've imported the Active Directory module.

    # Gets the ACLs for the current working directory
    # Passes the user or group info to the AD cmdlets
    # Enumerates the users with the effective ACL permission
    
    $acls = (Get-ACL $pwd).Access
    foreach ($a in $acls)
    {
       try
       {
          $a
          Get-ADGroupMember $a.identityreference.tostring().split("\")[1]
          Get-ADUser $a.identityreference.tostring().split("\")[1]
       }
       catch
       {
          continue
       }
    }
    

     


    I'm the most humble person you've ever met.
    Monday, September 26, 2011 3:36 PM

All replies

  • You're asking for recursive AD group member enumeration.  The following bit of code is not recursive, but it will return the first level of results.  I'm leaving it up to you to use it to develop a recursive function.

    FYI, this code assumes that you've imported the Active Directory module.

    # Gets the ACLs for the current working directory
    # Passes the user or group info to the AD cmdlets
    # Enumerates the users with the effective ACL permission
    
    $acls = (Get-ACL $pwd).Access
    foreach ($a in $acls)
    {
       try
       {
          $a
          Get-ADGroupMember $a.identityreference.tostring().split("\")[1]
          Get-ADUser $a.identityreference.tostring().split("\")[1]
       }
       catch
       {
          continue
       }
    }
    

     


    I'm the most humble person you've ever met.
    Monday, September 26, 2011 3:36 PM
  • Hi James

    Thanks for the reply. I will give this a try and let you know how i get on.

    Tuesday, September 27, 2011 11:32 AM
  • If this is going through a very large list of folders, you might want to consider having the script maintain a cache of the members of groups it's already found, or you could end up with it spending a lot of time going back to the DC to retrieve the same group memberships over and over again.
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Tuesday, September 27, 2011 11:47 AM
    Moderator