Solved

list group members when looking at folder permissions

Posted on 2014-11-17
8
212 Views
Last Modified: 2015-01-12
Hi,  

I need to do a permissions audit on some file servers, going through each shared folder and reporting on which users or groups have access.  

I found the following script which does a pretty good job of going through all the folders and listing which users and groups have access,

function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
Get-PathPermissions $args[0]

Open in new window



I can then output the result of this script to a CSV file by running the following command:

Get-PathPermissions C:\Temp | Export-Csv "C:\my folder\mycsv.csv"

What I would also like to do is list all the members of groups found and add this as a column to the csv file.  Ideally I'd like to skip listing users of the "Domain Admins" group as this group is always present and doesn't need the users listing out each time.
0
Comment
Question by:carbonbase
  • 4
  • 3
8 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40457972
I don't have the time to do all this, but I think what would be required is:
 - for every result, you would need to look at the IdentityReference and see if it matches a group name, and if so then list all the members (recursively).  It'd probably be best to query both the local machine and AD for all group names and determine their members, storing the results.  Then when you check the IdentityReference, you would compare it against those stored results.  It's the only efficient way I can think of doing what you ask.

But I have to be honest, I don't see any value in the question.  Managing group membership and using those groups with NTFS permissions relieves you of the burden of having to examine permissions down to this level.
0
 

Author Comment

by:carbonbase
ID: 40461950
Thanks for your comment, I think it should be possible to access the IdentityReference  from the "(Get-ACL $container.fullname).Access" in the script?

The script returns the IdentityReference which is the name of a group, as in the output below, now I think I just need to work out how to parse the group name from the IdentityReference to something like "Get-ADGroupMember".  I'm just struggling to work out how to parse IdentityReference in a format "Get-ADGroupMember" can handle.

Path              : c:\temp
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : my domain\domain group
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Not sure I understand your comment about the question having no value.  Basically I have a bunch of users in one domain who are going to be logging in with brand new accounts in a different domain and their old accounts will be deleted; however most of their data will stay on the file server in their old domain, so I'll need to add permission for their new domain account to access the the data.  

The existing permissions on the file server are a bit of a mess so what I'm trying to do is see which users and group groups have access to which folders, the script does a great job of listing out the users and groups, just need to list the group members as well so we can start to build a new permissions structure for when the users start logging in with new domain credentials.  If i'm going about this in the wrong way and their is a more efficient way to get the job done I'd be happy to here it.  Thanks.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40463486
Yes.

If you do a split of the IdentityReference value then you can just get the group name portion which could be submitted to Get-ADGroupMember.
However, if you try to submit every value in IdentityReference from each object in Access, you're going to be querying for the same name a lot.  That's why I suggest just querying for all groups and their members beforehand and storing the results.  Maybe something like
$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window

From the Access property, pipe to ForEach-Object, then you can look at each IdentityReference property and compare (probably use the -contains operator) to the previously stored group results.

It seems like by managing group membership you should be able to avoid all of this.  You might also check out ADMT.  I don't have any personal experience with the tool, but I think with SID history you could avoid having to mess with permissions.  Maybe I'm wrong.  You might want to actually ask a new question that describes your situation and ask how others would solve the problem.  Perhaps it'll turn out that the scripting approach is the best after all.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 

Author Comment

by:carbonbase
ID: 40464728
Good suggestion regarding ADMT, I can look into how easy it would be to create a mapping file between the user account in the old domain and the accounts in the new domain as they were created before my time and the user names don't match.

I think the script is still useful from a permissions audit perspective, as the permissions that exist at the moment are not optimal and there is a desire to create a new permissions structure in the new domain.  I'll try your coding suggestion above.
0
 

Author Comment

by:carbonbase
ID: 40493604
I think I'm almost there with the script, your code above:

$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window



Returns group members (samAccountName) as list separated by a space, is it possible to return a list of group members separated by comma's?
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 40496480
Actually it returns an object array.  Each element of the array has two properties; samAccountName (of the group which is a string), and members (which is an array of strings).  You can use the -join operator with a string array if you want to combine all the elements.  However, an string array is great to use with -contains.  For example:
$a = "joe","bob","john"
($a -contains "joe")

Open in new window

0
 

Author Closing Comment

by:carbonbase
ID: 40543953
Thanks for your help on this.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now