Help with Powershell script to get a report of only builtin groups

Hello,
I need help with this script.

I need to make this script to only get a report of BUILTIN groups like Domain Users, Administrators, Domain Admins because we don't migrate them. The builtin groups look like this “Builtin\<AccountName>”

thank you so much. Currently, the following gets all the groups.


# Include only folders from the root path
Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName

  (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited
} | Export-CSV "Permissions.csv"
creative555Asked:
Who is Participating?
 
rastoiWindows DTS expertCommented:
just put there one more pipe with command, like this:
Get-ChildItem "C:\" -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName

  (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited|
    ? {$_.identityreference.value -like "BUILTIN*"}
}

Open in new window

0
 
rastoiWindows DTS expertCommented:
script you populated shows NTFS permisions on directories and has nothing to do with shares you mention in subject.
So what do you need ?
1
 
creative555Author Commented:
oh I am sorry. Inventory of NTFS permissions where builtin groups have access.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
creative555Author Commented:
what does "?" mean? I can't find it online..


I get an error: An empty pipe element is not allowed.



PS C:\scripts> Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited
    | ? {$_.identityreference.value -like "BUILTIN*"} }
At line:7 char:5
+     | ? {$_.identityreference.value -like "BUILTIN*"} }
+     ~
An empty pipe element is not allowed.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : EmptyPipeElement
0
 
rastoiWindows DTS expertCommented:
'?' is alias for where-object commandlet
I assume it hits folder with no acess to or corrupted descriptor. Try to add '-error silent' after closing curly bracket and run again
0
 
creative555Author Commented:
yes. this works!! I will give you points. Should I put parameters for TESTTARGET\domain users?


Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like "TESTTARGET\Domain Users"}
} | Export-CSV "PermissionsDomainUsers8.csv"
0
 
creative555Author Commented:
I tried to put Domain Users in the param but it doens't work...the output file is empty and it doens't just get c:\install directory. It is doing other directory


    param(
    [String]$Group='Domain Users',
    [String]$Directory='c:\install'
)

Get-ChildItem $directory -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like $Group}
} | Export-CSV "PermissionsDomainUsers9b.csv"



I am getting this error:
Get-ChildItem : Access to the path 'C:\Windows\System32\LogFiles\WMI\RtBackup' is denied.
At line:7 char:1
+ Get-ChildItem $directory -Recurse | ?{ $_.PsIsContainer } | %{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\Syst...es\WMI\RtBackup:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
0
 
rastoiWindows DTS expertCommented:
those are runtime permission errors, listed one is that running account does not have access to C:\Windows\System32\LogFiles\WMI\RtBackup'  
.tostring() you added makes no sense, "value" is string type. Where the trouble is -like needs asterix convention for match
I suggest this:
 [String]$Group='*Domain Users',

on my local filestem, "Users" produces no output, but "*users" lists properly
0
 
creative555Author Commented:
but it shouldn't be looking at this directory. It should be looking at c:\installs.
C:\Windows\System32\LogFiles\WMI\RtBackup'  

this script still is giving me an error about this directory. It works fine if I remove param ()
Also i tried to put just two variables on top and as soon as I put them, it breaks it.

 param(
    [String]$Group='*Domain Users',
    [String]$Directory='c:\install'
)



Get-ChildItem -path $directory -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like $Group}
} | Export-CSV "PermissionsDomainUsers3.csv"



Error:
Get-ChildItem : Access to the path 'C:\Windows\System32\LogFiles\WMI\RtBackup' is denied.
At C:\scripts\Get-NTFSPermissionsBuiltinWithParams1b.ps1:8 char:1
+ Get-ChildItem -path $directory -Recurse | ?{ $_.PsIsContainer } | %{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\Syst...es\WMI\RtBackup:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand


this doesn't work either. Same error.

$Group = "Domain Users"
 $Directory ="c:\install"

Get-ChildItem -path $directory -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like $Group}
} | Export-CSV "PermissionsDomainUsers3.csv"



This works perfectly!! But I want to add param or at least variable on top.

Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like "TESTTARGET\Domain Users"}
} | Export-CSV "PermissionsDomainUsers8.csv"
0
 
rastoiWindows DTS expertCommented:
params works, possibly source of your truoble is that you always fill target variable like "C:\install", while in version without parameters you use path with 's' at the end = "C:\installs
as c:\install  directory not exist, your path points to current active than you have feeling that it parse wrong place
0
 
creative555Author Commented:
Thank you so much! I had mistyped c:\installs. Your script works!!!!
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.