Help with Powershell script to get a report of only builtin groups

Hello,
I need help with this script.

I need to make this script to only get a report of BUILTIN groups like Domain Users, Administrators, Domain Admins because we don't migrate them. The builtin groups look like this “Builtin\<AccountName>”

thank you so much. Currently, the following gets all the groups.


# Include only folders from the root path
Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName

  (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited
} | Export-CSV "Permissions.csv"
creative555Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rastoiWindows DTS expertCommented:
script you populated shows NTFS permisions on directories and has nothing to do with shares you mention in subject.
So what do you need ?
1
creative555Author Commented:
oh I am sorry. Inventory of NTFS permissions where builtin groups have access.
0
rastoiWindows DTS expertCommented:
just put there one more pipe with command, like this:
Get-ChildItem "C:\" -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName

  (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited|
    ? {$_.identityreference.value -like "BUILTIN*"}
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

creative555Author Commented:
what does "?" mean? I can't find it online..


I get an error: An empty pipe element is not allowed.



PS C:\scripts> Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited
    | ? {$_.identityreference.value -like "BUILTIN*"} }
At line:7 char:5
+     | ? {$_.identityreference.value -like "BUILTIN*"} }
+     ~
An empty pipe element is not allowed.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : EmptyPipeElement
0
rastoiWindows DTS expertCommented:
'?' is alias for where-object commandlet
I assume it hits folder with no acess to or corrupted descriptor. Try to add '-error silent' after closing curly bracket and run again
0
creative555Author Commented:
yes. this works!! I will give you points. Should I put parameters for TESTTARGET\domain users?


Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like "TESTTARGET\Domain Users"}
} | Export-CSV "PermissionsDomainUsers8.csv"
0
creative555Author Commented:
I tried to put Domain Users in the param but it doens't work...the output file is empty and it doens't just get c:\install directory. It is doing other directory


    param(
    [String]$Group='Domain Users',
    [String]$Directory='c:\install'
)

Get-ChildItem $directory -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like $Group}
} | Export-CSV "PermissionsDomainUsers9b.csv"



I am getting this error:
Get-ChildItem : Access to the path 'C:\Windows\System32\LogFiles\WMI\RtBackup' is denied.
At line:7 char:1
+ Get-ChildItem $directory -Recurse | ?{ $_.PsIsContainer } | %{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\Syst...es\WMI\RtBackup:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
0
rastoiWindows DTS expertCommented:
those are runtime permission errors, listed one is that running account does not have access to C:\Windows\System32\LogFiles\WMI\RtBackup'  
.tostring() you added makes no sense, "value" is string type. Where the trouble is -like needs asterix convention for match
I suggest this:
 [String]$Group='*Domain Users',

on my local filestem, "Users" produces no output, but "*users" lists properly
0
creative555Author Commented:
but it shouldn't be looking at this directory. It should be looking at c:\installs.
C:\Windows\System32\LogFiles\WMI\RtBackup'  

this script still is giving me an error about this directory. It works fine if I remove param ()
Also i tried to put just two variables on top and as soon as I put them, it breaks it.

 param(
    [String]$Group='*Domain Users',
    [String]$Directory='c:\install'
)



Get-ChildItem -path $directory -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like $Group}
} | Export-CSV "PermissionsDomainUsers3.csv"



Error:
Get-ChildItem : Access to the path 'C:\Windows\System32\LogFiles\WMI\RtBackup' is denied.
At C:\scripts\Get-NTFSPermissionsBuiltinWithParams1b.ps1:8 char:1
+ Get-ChildItem -path $directory -Recurse | ?{ $_.PsIsContainer } | %{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\Syst...es\WMI\RtBackup:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand


this doesn't work either. Same error.

$Group = "Domain Users"
 $Directory ="c:\install"

Get-ChildItem -path $directory -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like $Group}
} | Export-CSV "PermissionsDomainUsers3.csv"



This works perfectly!! But I want to add param or at least variable on top.

Get-ChildItem "C:\installs" -Recurse | ?{ $_.PsIsContainer } | %{
 $Path = $_.FullName
 
 (Get-Acl $Path).Access | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights, IsInherited| ?{$_.identityreference.value.ToString() -like "TESTTARGET\Domain Users"}
} | Export-CSV "PermissionsDomainUsers8.csv"
0
rastoiWindows DTS expertCommented:
params works, possibly source of your truoble is that you always fill target variable like "C:\install", while in version without parameters you use path with 's' at the end = "C:\installs
as c:\install  directory not exist, your path points to current active than you have feeling that it parse wrong place
0
creative555Author Commented:
Thank you so much! I had mistyped c:\installs. Your script works!!!!
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.