Error while auditing folder permissions

I am trying to audit the permissions on a file server as a domain administrator and am getting an error for 'unauthorized operation' on some uses. When I use D:\Share\IT, I am able to get the command to run; when I use \Prod I cannot.

I am using the following in PowerShell:
Get-ChildItem D:\Share\Prod -Directory -Recurse | Get-Acl | Select-Object path,accesstostring,owner| Export-Csv C:\Temp\file.csv

I am receiving the following error:
Get-Acl : Attempted to perform an unauthorized operation.
At line:1 char:51
+ Get-ChildItem D:\Share\Prod -Directory -Recurse | Get-Acl |Select-Object  ...
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand

I am logged in as a domain administrator, with PowerShell using Run As Administrator.
jjwolvenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel_PLDB Expert/ArchitectCommented:
Hi,

This is the case where permissions are given to only Installer or other account, not administrators.
Please find following code which works fine. Please note that I'm wrapping Get-ChildItem in it's own try catch. That's because System.DirUnauthorizedAccessException is generated before this cmdlet gets its data from an item. If you want to you can later review errors generated by reviewing $gciErr variable. However, they should match those catch inside with Get-Acl :)

try {
	$rootDir="D:\Share\Prod";
	#for test
	#$rootDir="C:\Windows\System32";
	$dirs=Get-ChildItem $rootDir -Directory -Recurse -ErrorAction silentlycontinue -ErrorVariable +gciErr;
} catch {
	$ErrorMessage = $_.Exception.Message
	$FailedItem = $_.Exception.ItemName
	Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
	return;
}

[array]$results=$null;
foreach ($dir in $dirs)
{
	try {
		$acl=$dir | Get-Acl 
		$aclIn=$acl.Access | % {$_ | select @{Name="Path";Expression={$dir.FullName}},IdentityReference, FileSystemRights}
		$results+=$aclIn;
	} catch [System.UnauthorizedAccessException] {
		Write-Output "[WARNING] Unauthorized Access Exception::$($dir.FullName)"
	} catch {
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
		return;
	}	
}  
$results | Export-Csv C:\Temp\file.csv -NoTypeInformation -Delimiter ";";

Open in new window


Edit: I've adjusted your idea to get Access data. Since string returned by native method is impossible to be easily cut I read this information from Access method. Because you're getting all data into CSV I'm putting row for each permission for each directory, so you can work on results as a working set :)
Please note that Path property has type in its name and you implicitly defined childintems as directories, therefore I found it unusable and decided to take FullName property of the outer object which is a directory, not an ACL.

Regards,
Daniel
0
Ajit SinghCommented:
Have you followed the above suggestion?

Regarding error it seems like permission issue. You can see who has which permissions on your file and folders by using this solution.

May be I am wrong, but in the PowerShell solution is to use a bare AccessControl object with only the Owner set and then use SetAccessControl to apply the change.  Once this change has taken effect, you can then use Get-Acl & Set-Acl as normal.

Same process as using the GUI; Change the ownership only, then modify as desired.

Get in detailed here:

https://blogs.technet.microsoft.com/josebda/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell/

https://blogs.technet.microsoft.com/zarkatech/2012/01/14/audit-file-server-permissions-using-powershell/

https://social.technet.microsoft.com/Forums/lync/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/solved-how-to-take-ownership-and-change-permissions-for-blocked-files-and-folders-in-powershell?forum=winserverpowershell

Hope this helps!
0
jjwolvenAuthor Commented:
Error when I tried to run (in PowerShell As Administrator):

Export-Csv : Cannot bind argument to parameter 'InputObject' because it is null.
At C:\temp\Get-PermissionList.ps1:29 char:12
+ $results | Export-Csv C:\Temp\file.csv -NoTypeInformation -Delimiter ";";
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ExportCsvCommand
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Daniel_PLDB Expert/ArchitectCommented:
Sorry, formatting went off:

try {
	$rootDir="D:\Share\Prod";
	#for test
	#$rootDir="C:\Windows\System32";
	$dirs=Get-ChildItem $rootDir -Directory -Recurse -ErrorAction silentlycontinue -ErrorVariable +gciErr;
} catch {
	$ErrorMessage = $_.Exception.Message
	$FailedItem = $_.Exception.ItemName
	Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
	return;
}
[array]$results=$null;
foreach ($dir in $dirs) {
	try {
		$acl=$dir | Get-Acl 
		$aclIn=$acl.Access | % {$_ | select @{Name="Path";Expression={$dir.FullName}},IdentityReference, FileSystemRights}
		$results+=$aclIn;
	} catch [System.UnauthorizedAccessException] {
		Write-Output "[WARNING] Unauthorized Access Exception::$($dir.FullName)"
	} catch {
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
		return;
	}	
}  
$results | Export-Csv C:\Temp\file.csv -NoTypeInformation -Delimiter ";";

Open in new window

0
jjwolvenAuthor Commented:
I am still receiving the same error.
0
Daniel_PLDB Expert/ArchitectCommented:
That's weird, I don't.

Permissions.jpg
0
jjwolvenAuthor Commented:
Ok, looks like it is showing everything but the permissions at the top level.

To just show the top level, can I go up one level (D:\Shared), then run this after removing "-Recurse"

Is there anything else that would need to be removed?
0
Daniel_PLDB Expert/ArchitectCommented:
Hi,

Just include Get-Acl for rootdir before getting into subfolders.

try {
	$rootDir="D:\Share\Prod";
	#for test
	#$rootDir="C:\Windows\System32";
	$dirs=Get-ChildItem $rootDir -Directory -Recurse -ErrorAction silentlycontinue -ErrorVariable +gciErr;
} catch {
	$ErrorMessage = $_.Exception.Message
	$FailedItem = $_.Exception.ItemName
	Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
	return;
}
[array]$results=$null;
#get root
try {
		$acl=$rootDir | Get-Acl 
		$aclIn=$acl.Access | % {$_ | select @{Name="Path";Expression={$rootDir}},IdentityReference, FileSystemRights}
		$results+=$aclIn;
	} catch [System.UnauthorizedAccessException] {
		Write-Output "[WARNING] Unauthorized Access Exception::$(rootDir)"
	} catch {
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
		return;
	}
foreach ($dir in $dirs) {
	try {
		$acl=$dir | Get-Acl 
		$aclIn=$acl.Access | % {$_ | select @{Name="Path";Expression={$dir.FullName}},IdentityReference, FileSystemRights}
		$results+=$aclIn;
	} catch [System.UnauthorizedAccessException] {
		Write-Output "[WARNING] Unauthorized Access Exception::$($dir.FullName)"
	} catch {
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		Write-Output "[ERROR] $FailedItem :: `r`n`t`t$ErrorMessage"
		return;
	}	
}  
$results | Export-Csv C:\Temp\file.csv -NoTypeInformation -Delimiter ";";

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.