• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 435
  • Last Modified:

How can I return a list of folders with only a specific security group using PowerShell?

Recently in our company there has been a revamp in Windows security groups which is causing a nightmare with our File Server.  I need a script that I can run at the top folder that searches recursively based on a security group and returns me a list of the effected folders.  Basically if I search for Operations I need every folder accessible to the Operations Group to be returned.  That way before removing a user from a group I can notify the Department Head which directories the user will no longer have access to.
  • 3
1 Solution
Firstly, Powershell does not have any ACL commands for file systems.  Secondly, you can NEVER find the permissions a Group has by querying the group - you will always have to search the whole file subsystem.  Permissions are stored on files and folders as ACL (Access Control Lists), which in turn return SID's which equate to AD Objects.  AD does not backlink to the filesystem.

What you're going to have to do is recursively output the ACL's of every subfolder, and then filter out the specific group.  It's going to be a right pain, but this is the only way.  Something like this:

icacls * /T > acls.txt

Open in new window

Then, open acls.txt with a powerful notepad program - like Notepad++ and then search for the desired group(s).

Unfortunately, you will have to do this on all file servers where permissions may have been granted.  Run the command from the root of the data volumes, so that it captures everything.
You can shorten your query time by using the /findsid option.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
    finds all matching names that contain an ACL
    explicitly mentioning Sid.

Where Sid is the Sid of the Group in question.
Sorry for half answers here :D  Very late, and tired.

Use ADSI Edit to find the SID of the group and then run

ICACLS * /findsid {Your-Sid-Goes-Here-With-Curly-Brackets} /T

Brent ChallisPrincipal: ITCommented:
If your interest is simply on the presence of the group on the ACL, rather than the specific access granted, the filter function listed here:
checks for names on the ACLs.

If you pass in a collection of objects (dir -recurse) for example, to the filter and provide the name you are looking for, the collection that comes out the other side should be ones with the name you specify as either the owner or the name is on the discretionary ACLs.

The script should also work for registry keys.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now