Solved

list group members when looking at folder permissions

Posted on 2014-11-17
8
220 Views
Last Modified: 2015-01-12
Hi,  

I need to do a permissions audit on some file servers, going through each shared folder and reporting on which users or groups have access.  

I found the following script which does a pretty good job of going through all the folders and listing which users and groups have access,

function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
Get-PathPermissions $args[0]

Open in new window



I can then output the result of this script to a CSV file by running the following command:

Get-PathPermissions C:\Temp | Export-Csv "C:\my folder\mycsv.csv"

What I would also like to do is list all the members of groups found and add this as a column to the csv file.  Ideally I'd like to skip listing users of the "Domain Admins" group as this group is always present and doesn't need the users listing out each time.
0
Comment
Question by:carbonbase
  • 4
  • 3
8 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40457972
I don't have the time to do all this, but I think what would be required is:
 - for every result, you would need to look at the IdentityReference and see if it matches a group name, and if so then list all the members (recursively).  It'd probably be best to query both the local machine and AD for all group names and determine their members, storing the results.  Then when you check the IdentityReference, you would compare it against those stored results.  It's the only efficient way I can think of doing what you ask.

But I have to be honest, I don't see any value in the question.  Managing group membership and using those groups with NTFS permissions relieves you of the burden of having to examine permissions down to this level.
0
 

Author Comment

by:carbonbase
ID: 40461950
Thanks for your comment, I think it should be possible to access the IdentityReference  from the "(Get-ACL $container.fullname).Access" in the script?

The script returns the IdentityReference which is the name of a group, as in the output below, now I think I just need to work out how to parse the group name from the IdentityReference to something like "Get-ADGroupMember".  I'm just struggling to work out how to parse IdentityReference in a format "Get-ADGroupMember" can handle.

Path              : c:\temp
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : my domain\domain group
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Not sure I understand your comment about the question having no value.  Basically I have a bunch of users in one domain who are going to be logging in with brand new accounts in a different domain and their old accounts will be deleted; however most of their data will stay on the file server in their old domain, so I'll need to add permission for their new domain account to access the the data.  

The existing permissions on the file server are a bit of a mess so what I'm trying to do is see which users and group groups have access to which folders, the script does a great job of listing out the users and groups, just need to list the group members as well so we can start to build a new permissions structure for when the users start logging in with new domain credentials.  If i'm going about this in the wrong way and their is a more efficient way to get the job done I'd be happy to here it.  Thanks.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40463486
Yes.

If you do a split of the IdentityReference value then you can just get the group name portion which could be submitted to Get-ADGroupMember.
However, if you try to submit every value in IdentityReference from each object in Access, you're going to be querying for the same name a lot.  That's why I suggest just querying for all groups and their members beforehand and storing the results.  Maybe something like
$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window

From the Access property, pipe to ForEach-Object, then you can look at each IdentityReference property and compare (probably use the -contains operator) to the previously stored group results.

It seems like by managing group membership you should be able to avoid all of this.  You might also check out ADMT.  I don't have any personal experience with the tool, but I think with SID history you could avoid having to mess with permissions.  Maybe I'm wrong.  You might want to actually ask a new question that describes your situation and ask how others would solve the problem.  Perhaps it'll turn out that the scripting approach is the best after all.
0
Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

 

Author Comment

by:carbonbase
ID: 40464728
Good suggestion regarding ADMT, I can look into how easy it would be to create a mapping file between the user account in the old domain and the accounts in the new domain as they were created before my time and the user names don't match.

I think the script is still useful from a permissions audit perspective, as the permissions that exist at the moment are not optimal and there is a desire to create a new permissions structure in the new domain.  I'll try your coding suggestion above.
0
 

Author Comment

by:carbonbase
ID: 40493604
I think I'm almost there with the script, your code above:

$a = get-adgroup -filter * | select samAccountName,@{n="members";e={,@(Get-ADGroupMember $_.name -Recursive | Select -expand samAccountName)}}

Open in new window



Returns group members (samAccountName) as list separated by a space, is it possible to return a list of group members separated by comma's?
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 40496480
Actually it returns an object array.  Each element of the array has two properties; samAccountName (of the group which is a string), and members (which is an array of strings).  You can use the -join operator with a string array if you want to combine all the elements.  However, an string array is great to use with -contains.  For example:
$a = "joe","bob","john"
($a -contains "joe")

Open in new window

0
 

Author Closing Comment

by:carbonbase
ID: 40543953
Thanks for your help on this.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What is assert.deepEqual? 4 39
AD Expiration from CSV 4 21
Script to access a remote machine and copy files 4 32
Export user type with mailbox size 41 55
How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now