?
Solved

powershell script to get list of user have acces to folder and sub folder

Posted on 2016-10-14
4
Medium Priority
?
41 Views
Last Modified: 2016-11-06
Hi,

i need to get list off users have an acces to files under folder and subfolders
i have many different access and each of my folders have different security group
i need to get all the users of all groups with the folder name

presently i use this script but i cant get the member of each groups in same time

$OutFile = "C:\temp\Permissions.csv"
$Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
Add-Content -Value $Header -Path $OutFile

$RootPath = "\\my root folder\"

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders){
      $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
      Foreach ($ACL in $ACLs){
      $OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
      Add-Content -Value $OutInfo -Path $OutFile
      }
}
0
Comment
Question by:Stéphane Boisvert
  • 2
4 Comments
 
LVL 2

Expert Comment

by:amodeo
ID: 41844147
If it doesn't absolutely have to be a powershell script, netwrix makes a completely free tool that does this.  I know it doesn't directly answer your question but I have found it very helpful for this info.

https://www.netwrix.com/netwrix_effective_permissions_reporting_tool.html

-Joe
0
 
LVL 14

Accepted Solution

by:
Dustin Saunders earned 2000 total points (awarded by participants)
ID: 41844169
You could just add a recursive group check into each ACL check.

$OutFile = "C:\test\Permissions.csv"
$Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
Add-Content -Value $Header -Path $OutFile 

$RootPath = "C:\test\"

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders){
      $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
      Foreach ($ACL in $ACLs)
      {
          $OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
          Add-Content -Value $OutInfo -Path $OutFile

            $groupName = $acl.IdentityReference.ToString()
            $groupNameA = $groupName.Split('\')
            $groupName = $groupNameA[1]
            try 
            {
                $members = Get-ADGroupMember $groupName -Recursive
                foreach ($member in $members)
                {
                    $OutInfo = $Folder.Fullname + "," + $groupNameA[0] + "\" + $member.samaccountname  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
                    Add-Content -Value $OutInfo -Path $OutFile
                }
            }
            catch {}

          
      }
}

Open in new window

2
 

Author Comment

by:Stéphane Boisvert
ID: 41847110
Thank you Dustin for your comment
it work perfectly
0
 
LVL 14

Expert Comment

by:Dustin Saunders
ID: 41875991
Asker confirmed solution works for them.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Screencast - Getting to Know the Pipeline

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question