Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 465
  • Last Modified:

list group members when looking at folder permissions

Hi,  

I need to do a permissions audit on some file servers, going through each shared folder and reporting on which users or groups have access.  

I found the following script which does a pretty good job of going through all the folders and listing which users and groups have access,

function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
Get-PathPermissions $args[0]

Open in new window



I can then output the result of this script to a CSV file by running the following command:

Get-PathPermissions C:\Temp | Export-Csv "C:\my folder\mycsv.csv"

What I would also like to do is list all the members of groups found and add this as a column to the csv file.  Ideally I'd like to skip listing users of the "Domain Admins" group as this group is always present and doesn't need the users listing out each time.
0
carbonbase
Asked:
carbonbase
  • 4
  • 3
2 Solutions
 
footechCommented:
I don't have the time to do all this, but I think what would be required is:
 - for every result, you would need to look at the IdentityReference and see if it matches a group name, and if so then list all the members (recursively).  It'd probably be best to query both the local machine and AD for all group names and determine their members, storing the results.  Then when you check the IdentityReference, you would compare it against those stored results.  It's the only efficient way I can think of doing what you ask.

But I have to be honest, I don't see any value in the question.  Managing group membership and using those groups with NTFS permissions relieves you of the burden of having to examine permissions down to this level.
0
 
carbonbaseAuthor Commented:
Thanks for your comment, I think it should be possible to access the IdentityReference  from the "(Get-ACL $container.fullname).Access" in the script?

The script returns the IdentityReference which is the name of a group, as in the output below, now I think I just need to work out how to parse the group name from the IdentityReference to something like "Get-ADGroupMember".  I'm just struggling to work out how to parse IdentityReference in a format "Get-ADGroupMember" can handle.

Path              : c:\temp
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : my domain\domain group
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Not sure I understand your comment about the question having no value.  Basically I have a bunch of users in one domain who are going to be logging in with brand new accounts in a different domain and their old accounts will be deleted; however most of their data will stay on the file server in their old domain, so I'll need to add permission for their new domain account to access the the data.  

The existing permissions on the file server are a bit of a mess so what I'm trying to do is see which users and group groups have access to which folders, the script does a great job of listing out the users and groups, just need to list the group members as well so we can start to build a new permissions structure for when the users start logging in with new domain credentials.  If i'm going about this in the wrong way and their is a more efficient way to get the job done I'd be happy to here it.  Thanks.
0
 
footechCommented:
Yes.

If you do a split of the IdentityReference value then you can just get the group name portion which could be submitted to Get-ADGroupMember.
However, if you try to submit every value in IdentityReference from each object in Access, you're going to be querying for the same name a lot.  That's why I suggest just querying for all groups and their members beforehand and storing the results.  Maybe something like
$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window

From the Access property, pipe to ForEach-Object, then you can look at each IdentityReference property and compare (probably use the -contains operator) to the previously stored group results.

It seems like by managing group membership you should be able to avoid all of this.  You might also check out ADMT.  I don't have any personal experience with the tool, but I think with SID history you could avoid having to mess with permissions.  Maybe I'm wrong.  You might want to actually ask a new question that describes your situation and ask how others would solve the problem.  Perhaps it'll turn out that the scripting approach is the best after all.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
carbonbaseAuthor Commented:
Good suggestion regarding ADMT, I can look into how easy it would be to create a mapping file between the user account in the old domain and the accounts in the new domain as they were created before my time and the user names don't match.

I think the script is still useful from a permissions audit perspective, as the permissions that exist at the moment are not optimal and there is a desire to create a new permissions structure in the new domain.  I'll try your coding suggestion above.
0
 
carbonbaseAuthor Commented:
I think I'm almost there with the script, your code above:

$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window



Returns group members (samAccountName) as list separated by a space, is it possible to return a list of group members separated by comma's?
0
 
footechCommented:
Actually it returns an object array.  Each element of the array has two properties; samAccountName (of the group which is a string), and members (which is an array of strings).  You can use the -join operator with a string array if you want to combine all the elements.  However, an string array is great to use with -contains.  For example:
$a = "joe","bob","john"
($a -contains "joe")

Open in new window

0
 
carbonbaseAuthor Commented:
Thanks for your help on this.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now