How can I return a list of folders with only a specific security group using PowerShell?

Posted on 2011-10-24
Last Modified: 2012-06-27
Recently in our company there has been a revamp in Windows security groups which is causing a nightmare with our File Server.  I need a script that I can run at the top folder that searches recursively based on a security group and returns me a list of the effected folders.  Basically if I search for Operations I need every folder accessible to the Operations Group to be returned.  That way before removing a user from a group I can notify the Department Head which directories the user will no longer have access to.
Question by:chrisjmccrum
    LVL 17

    Expert Comment

    Firstly, Powershell does not have any ACL commands for file systems.  Secondly, you can NEVER find the permissions a Group has by querying the group - you will always have to search the whole file subsystem.  Permissions are stored on files and folders as ACL (Access Control Lists), which in turn return SID's which equate to AD Objects.  AD does not backlink to the filesystem.

    What you're going to have to do is recursively output the ACL's of every subfolder, and then filter out the specific group.  It's going to be a right pain, but this is the only way.  Something like this:

    icacls * /T > acls.txt

    Open in new window

    Then, open acls.txt with a powerful notepad program - like Notepad++ and then search for the desired group(s).

    Unfortunately, you will have to do this on all file servers where permissions may have been granted.  Run the command from the root of the data volumes, so that it captures everything.
    LVL 17

    Expert Comment

    You can shorten your query time by using the /findsid option.

    ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
        finds all matching names that contain an ACL
        explicitly mentioning Sid.

    Where Sid is the Sid of the Group in question.
    LVL 17

    Accepted Solution

    Sorry for half answers here :D  Very late, and tired.

    Use ADSI Edit to find the SID of the group and then run

    ICACLS * /findsid {Your-Sid-Goes-Here-With-Curly-Brackets} /T

    LVL 8

    Expert Comment

    If your interest is simply on the presence of the group on the ACL, rather than the specific access granted, the filter function listed here:
    checks for names on the ACLs.

    If you pass in a collection of objects (dir -recurse) for example, to the filter and provide the name you are looking for, the collection that comes out the other side should be ones with the name you specify as either the owner or the name is on the discretionary ACLs.

    The script should also work for registry keys.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Are end users causing IT problems again?

    You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now