Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

list group members when looking at folder permissions

Posted on 2014-11-17
8
Medium Priority
?
367 Views
Last Modified: 2015-01-12
Hi,  

I need to do a permissions audit on some file servers, going through each shared folder and reporting on which users or groups have access.  

I found the following script which does a pretty good job of going through all the folders and listing which users and groups have access,

function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
Get-PathPermissions $args[0]

Open in new window



I can then output the result of this script to a CSV file by running the following command:

Get-PathPermissions C:\Temp | Export-Csv "C:\my folder\mycsv.csv"

What I would also like to do is list all the members of groups found and add this as a column to the csv file.  Ideally I'd like to skip listing users of the "Domain Admins" group as this group is always present and doesn't need the users listing out each time.
0
Comment
Question by:carbonbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 41

Expert Comment

by:footech
ID: 40457972
I don't have the time to do all this, but I think what would be required is:
 - for every result, you would need to look at the IdentityReference and see if it matches a group name, and if so then list all the members (recursively).  It'd probably be best to query both the local machine and AD for all group names and determine their members, storing the results.  Then when you check the IdentityReference, you would compare it against those stored results.  It's the only efficient way I can think of doing what you ask.

But I have to be honest, I don't see any value in the question.  Managing group membership and using those groups with NTFS permissions relieves you of the burden of having to examine permissions down to this level.
0
 

Author Comment

by:carbonbase
ID: 40461950
Thanks for your comment, I think it should be possible to access the IdentityReference  from the "(Get-ACL $container.fullname).Access" in the script?

The script returns the IdentityReference which is the name of a group, as in the output below, now I think I just need to work out how to parse the group name from the IdentityReference to something like "Get-ADGroupMember".  I'm just struggling to work out how to parse IdentityReference in a format "Get-ADGroupMember" can handle.

Path              : c:\temp
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : my domain\domain group
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Not sure I understand your comment about the question having no value.  Basically I have a bunch of users in one domain who are going to be logging in with brand new accounts in a different domain and their old accounts will be deleted; however most of their data will stay on the file server in their old domain, so I'll need to add permission for their new domain account to access the the data.  

The existing permissions on the file server are a bit of a mess so what I'm trying to do is see which users and group groups have access to which folders, the script does a great job of listing out the users and groups, just need to list the group members as well so we can start to build a new permissions structure for when the users start logging in with new domain credentials.  If i'm going about this in the wrong way and their is a more efficient way to get the job done I'd be happy to here it.  Thanks.
0
 
LVL 41

Accepted Solution

by:
footech earned 1500 total points
ID: 40463486
Yes.

If you do a split of the IdentityReference value then you can just get the group name portion which could be submitted to Get-ADGroupMember.
However, if you try to submit every value in IdentityReference from each object in Access, you're going to be querying for the same name a lot.  That's why I suggest just querying for all groups and their members beforehand and storing the results.  Maybe something like
$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window

From the Access property, pipe to ForEach-Object, then you can look at each IdentityReference property and compare (probably use the -contains operator) to the previously stored group results.

It seems like by managing group membership you should be able to avoid all of this.  You might also check out ADMT.  I don't have any personal experience with the tool, but I think with SID history you could avoid having to mess with permissions.  Maybe I'm wrong.  You might want to actually ask a new question that describes your situation and ask how others would solve the problem.  Perhaps it'll turn out that the scripting approach is the best after all.
0
Application Discovery Service in AWS

In the era of the cloud, customers migrating away from their existing on-premise infrastructure. This requires lots of planning, strategies, and effort to identify their existing resources and determine how best to migrate.  Datacenter migrations happen in four phases -

 

Author Comment

by:carbonbase
ID: 40464728
Good suggestion regarding ADMT, I can look into how easy it would be to create a mapping file between the user account in the old domain and the accounts in the new domain as they were created before my time and the user names don't match.

I think the script is still useful from a permissions audit perspective, as the permissions that exist at the moment are not optimal and there is a desire to create a new permissions structure in the new domain.  I'll try your coding suggestion above.
0
 

Author Comment

by:carbonbase
ID: 40493604
I think I'm almost there with the script, your code above:

$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window



Returns group members (samAccountName) as list separated by a space, is it possible to return a list of group members separated by comma's?
0
 
LVL 41

Assisted Solution

by:footech
footech earned 1500 total points
ID: 40496480
Actually it returns an object array.  Each element of the array has two properties; samAccountName (of the group which is a string), and members (which is an array of strings).  You can use the -join operator with a string array if you want to combine all the elements.  However, an string array is great to use with -contains.  For example:
$a = "joe","bob","john"
($a -contains "joe")

Open in new window

0
 

Author Closing Comment

by:carbonbase
ID: 40543953
Thanks for your help on this.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question