Avatar of carbonbase
carbonbase
Flag for United Kingdom of Great Britain and Northern Ireland asked on

list group members when looking at folder permissions

Hi,  

I need to do a permissions audit on some file servers, going through each shared folder and reporting on which users or groups have access.  

I found the following script which does a pretty good job of going through all the folders and listing which users and groups have access,

function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
Get-PathPermissions $args[0]

Open in new window



I can then output the result of this script to a CSV file by running the following command:

Get-PathPermissions C:\Temp | Export-Csv "C:\my folder\mycsv.csv"

What I would also like to do is list all the members of groups found and add this as a column to the csv file.  Ideally I'd like to skip listing users of the "Domain Admins" group as this group is always present and doesn't need the users listing out each time.
PowershellScripting LanguagesMicrosoft Server OS

Avatar of undefined
Last Comment
carbonbase

8/22/2022 - Mon
footech

I don't have the time to do all this, but I think what would be required is:
 - for every result, you would need to look at the IdentityReference and see if it matches a group name, and if so then list all the members (recursively).  It'd probably be best to query both the local machine and AD for all group names and determine their members, storing the results.  Then when you check the IdentityReference, you would compare it against those stored results.  It's the only efficient way I can think of doing what you ask.

But I have to be honest, I don't see any value in the question.  Managing group membership and using those groups with NTFS permissions relieves you of the burden of having to examine permissions down to this level.
carbonbase

ASKER
Thanks for your comment, I think it should be possible to access the IdentityReference  from the "(Get-ACL $container.fullname).Access" in the script?

The script returns the IdentityReference which is the name of a group, as in the output below, now I think I just need to work out how to parse the group name from the IdentityReference to something like "Get-ADGroupMember".  I'm just struggling to work out how to parse IdentityReference in a format "Get-ADGroupMember" can handle.

Path              : c:\temp
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : my domain\domain group
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Not sure I understand your comment about the question having no value.  Basically I have a bunch of users in one domain who are going to be logging in with brand new accounts in a different domain and their old accounts will be deleted; however most of their data will stay on the file server in their old domain, so I'll need to add permission for their new domain account to access the the data.  

The existing permissions on the file server are a bit of a mess so what I'm trying to do is see which users and group groups have access to which folders, the script does a great job of listing out the users and groups, just need to list the group members as well so we can start to build a new permissions structure for when the users start logging in with new domain credentials.  If i'm going about this in the wrong way and their is a more efficient way to get the job done I'd be happy to here it.  Thanks.
ASKER CERTIFIED SOLUTION
footech

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
carbonbase

ASKER
Good suggestion regarding ADMT, I can look into how easy it would be to create a mapping file between the user account in the old domain and the accounts in the new domain as they were created before my time and the user names don't match.

I think the script is still useful from a permissions audit perspective, as the permissions that exist at the moment are not optimal and there is a desire to create a new permissions structure in the new domain.  I'll try your coding suggestion above.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
carbonbase

ASKER
I think I'm almost there with the script, your code above:

$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window



Returns group members (samAccountName) as list separated by a space, is it possible to return a list of group members separated by comma's?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
carbonbase

ASKER
Thanks for your help on this.