How can I return a list of folders with only a specific security group using PowerShell?

Posted on 2011-10-24
Medium Priority
Last Modified: 2012-06-27
Recently in our company there has been a revamp in Windows security groups which is causing a nightmare with our File Server.  I need a script that I can run at the top folder that searches recursively based on a security group and returns me a list of the effected folders.  Basically if I search for Operations I need every folder accessible to the Operations Group to be returned.  That way before removing a user from a group I can notify the Department Head which directories the user will no longer have access to.
Question by:chrisjmccrum
  • 3
LVL 18

Expert Comment

ID: 37021670
Firstly, Powershell does not have any ACL commands for file systems.  Secondly, you can NEVER find the permissions a Group has by querying the group - you will always have to search the whole file subsystem.  Permissions are stored on files and folders as ACL (Access Control Lists), which in turn return SID's which equate to AD Objects.  AD does not backlink to the filesystem.

What you're going to have to do is recursively output the ACL's of every subfolder, and then filter out the specific group.  It's going to be a right pain, but this is the only way.  Something like this:

icacls * /T > acls.txt

Open in new window

Then, open acls.txt with a powerful notepad program - like Notepad++ and then search for the desired group(s).

Unfortunately, you will have to do this on all file servers where permissions may have been granted.  Run the command from the root of the data volumes, so that it captures everything.
LVL 18

Expert Comment

ID: 37021691
You can shorten your query time by using the /findsid option.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
    finds all matching names that contain an ACL
    explicitly mentioning Sid.

Where Sid is the Sid of the Group in question.
LVL 18

Accepted Solution

LesterClayton earned 2000 total points
ID: 37021696
Sorry for half answers here :D  Very late, and tired.

Use ADSI Edit to find the SID of the group and then run

ICACLS * /findsid {Your-Sid-Goes-Here-With-Curly-Brackets} /T


Expert Comment

by:Brent Challis
ID: 37054495
If your interest is simply on the presence of the group on the ACL, rather than the specific access granted, the filter function listed here:
checks for names on the ACLs.

If you pass in a collection of objects (dir -recurse) for example, to the filter and provide the name you are looking for, the collection that comes out the other side should be ones with the name you specify as either the owner or the name is on the discretionary ACLs.

The script should also work for registry keys.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question