Get-ACL

Discussion:

Get-ACL

(too old to reply)

Brazil

2008-07-21 14:24:55 UTC

Hi,

I am trying to write a script which will list the path of a folder if
a specific secuirty group has permissions on that folder. I am trying
to run this script against a drive on a File Server. This is what I
have got at the moment, taken from Microsoft's site:

get-childitem \\FileServer\f$ –recurse | get-acl | select-object
path,owner,accesstostring,group | export-csv "C:\output.csv"

This works so far. It will output all permissions on all objects under
the F drive. What I would like to do now is to just output the path of
the folder if a specific group has permissions on the folder. I am not
sure how to structure the foreach statement.

Could someone please point me in the right direction?

Thanks,

Ben.

Shay Levy [MVP]

2008-07-21 16:37:58 UTC

Permalink

Hi Brazil,

You can use the where-object cmdlet to filter on the group name:

$group = "Domain\GroupName"
get-childitem \\FileServer\f$ –recurse | get-acl | where {$_.group -contains
$group} | select path,owner,accesstostring,group | export-csv "C:\output.csv"

Take into count that running this command can take long time to finish when
running it against a remote computer , run it locally whenever you can.

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic

B> Hi,
B>
B> I am trying to write a script which will list the path of a folder if
B> a specific secuirty group has permissions on that folder. I am trying
B> to run this script against a drive on a File Server. This is what I
B> have got at the moment, taken from Microsoft's site:
B>
B> get-childitem \\FileServer\f$ –recurse | get-acl | select-object
B> path,owner,accesstostring,group | export-csv "C:\output.csv"
B>
B> This works so far. It will output all permissions on all objects
B> under the F drive. What I would like to do now is to just output the
B> path of the folder if a specific group has permissions on the folder.
B> I am not sure how to structure the foreach statement.
B>
B> Could someone please point me in the right direction?
B>
B> Thanks,
B>
B> Ben.
B>

Oisin (x0n) Grehan [MVP]

2008-07-21 17:45:04 UTC

Permalink

Post by Brazil
Hi,
I am trying to write a script which will list the path of a folder if
a specific secuirty group has permissions on that folder. I am trying
to run this script against a drive on a File Server. This is what I
get-childitem \\FileServer\f$ –recurse | get-acl | select-object
path,owner,accesstostring,group | export-csv "C:\output.csv"
This works so far. It will output all permissions on all objects under
the F drive. What I would like to do now is to just output the path of
the folder if a specific group has permissions on the folder. I am not
sure how to structure the foreach statement.
Could someone please point me in the right direction?
Thanks,
Ben.

Hi Brazil,

Permissions are trickier than they first appear. Finding an ACE
(access control entry) in the ACL (access control list) that grants a
group access to the resource does *not* guarantee that that group
actually has access. ACEs also come in the form of "deny" entries.
ACLs contains ACEs. "Deny" ACEs come before "Allow" ACEs in the ACL.
If Windows finds a deny entry before it finds an allow entry, the
group and/or user is effectively denied access even though there
exists an "allow" entry. Take this with the fact that denys and/or
allows can be inherited and that groups can be inside other groups -
the *effective* permissions can only be determined by examing ACLs for
deny ACEs and also resolving all AD groups to make sure they don't
contain other groups. Remember, users may be several groups - one or
more might be explicitly denied, one or more might be allowed. Most
restrictive applies.

In short, there is no easy way in PowerShell (that I know of) to find
_effective_ permissions, you may have better luck with 3rd party
utils. But as IANAA (I Am Not An Admin), I can't recommend any.

Hope this helps (somewhat).

- Oisin

PowerShell MVP
http://www.nivot.org/

Brazil

2008-07-22 10:35:21 UTC

Permalink

Hi Shay and Oisin,

Thanks for your replies.
I cant seem to get the where clause to work at the moment. The script
doesnt error, however the exported CSV is blank once the script has
executed. This is how the script looks at the now:

get-childitem 'C:\Test' -recurse | get-acl | where {$_.AccessToString -
contains 'GroupA'} | select accesstostring | export-csv "C:\test.txt"

I have two subfolders within C:\Test. GroupA has ACL permissions on
one folder but not on the other.

If I run the script without the where clause as follows:

get-childitem 'C:\Test' -recurse | get-acl | select accesstostring |
export-csv "C:\test.txt"

I successfully get the ACL on the folder as show below.

"DOMAIN\GroupA Allow FullControl
BUILTIN\Administrators Allow FullControl
DOMAIN\bbrazil Allow FullControl
CREATOR OWNER Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize"

My understanding of the where clause using the -contains switch should
return the object where the condition is met.

Again any advice would be most appreciated.

Thanks,

Ben.

Shay Levy [MVP]

2008-07-22 11:55:18 UTC

Permalink

Hi Brazil,

AccessToString is of type string so -contains won't do much, try the -match
operator instead (notice the double \\):

... where {$_.AccessToString -match 'BUILTIN\\Administrators'} | select ...

There's another option where you can split

Don't forget to take into count what Oisin said about Allow/Deny ACE's.

You can search for the word 'Deny' in the AccessToString:

... where {$_.AccessToString -match 'BUILTIN\\Administrators'} | select ...

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic

B> Hi Shay and Oisin,
B>
B> Thanks for your replies.
B> I cant seem to get the where clause to work at the moment. The script
B> doesnt error, however the exported CSV is blank once the script has
B> executed. This is how the script looks at the now:
B> get-childitem 'C:\Test' -recurse | get-acl | where {$_.AccessToString
B> - contains 'GroupA'} | select accesstostring | export-csv
B> "C:\test.txt"
B>
B> I have two subfolders within C:\Test. GroupA has ACL permissions on
B> one folder but not on the other.
B>
B> If I run the script without the where clause as follows:
B>
B> get-childitem 'C:\Test' -recurse | get-acl | select accesstostring |
B> export-csv "C:\test.txt"
B>
B> I successfully get the ACL on the folder as show below.
B>
B> "DOMAIN\GroupA Allow FullControl
B> BUILTIN\Administrators Allow FullControl
B> DOMAIN\bbrazil Allow FullControl
B> CREATOR OWNER Allow FullControl
B> NT AUTHORITY\SYSTEM Allow FullControl
B> BUILTIN\Users Allow ReadAndExecute, Synchronize"
B> My understanding of the where clause using the -contains switch
B> should return the object where the condition is met.
B>
B> Again any advice would be most appreciated.
B>
B> Thanks,
B>
B> Ben.
B>

Shay Levy [MVP]

2008-07-22 12:00:16 UTC

Permalink

Hi Brazil,

AccessToString is of type string so -contains won't do much, try the -match
operator instead (notice the double \\):

... where {$_.AccessToString -match 'BUILTIN\\Administrators'} | select ...

Don't forget to take into count what Oisin said about Allow/Deny ACE's. BTW,
You can search for the word 'Deny' in the AccessToString.

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic

B> Hi Shay and Oisin,
B>
B> Thanks for your replies.
B> I cant seem to get the where clause to work at the moment. The script
B> doesnt error, however the exported CSV is blank once the script has
B> executed. This is how the script looks at the now:
B> get-childitem 'C:\Test' -recurse | get-acl | where {$_.AccessToString
B> - contains 'GroupA'} | select accesstostring | export-csv
B> "C:\test.txt"
B>
B> I have two subfolders within C:\Test. GroupA has ACL permissions on
B> one folder but not on the other.
B>
B> If I run the script without the where clause as follows:
B>
B> get-childitem 'C:\Test' -recurse | get-acl | select accesstostring |
B> export-csv "C:\test.txt"
B>
B> I successfully get the ACL on the folder as show below.
B>
B> "DOMAIN\GroupA Allow FullControl
B> BUILTIN\Administrators Allow FullControl
B> DOMAIN\bbrazil Allow FullControl
B> CREATOR OWNER Allow FullControl
B> NT AUTHORITY\SYSTEM Allow FullControl
B> BUILTIN\Users Allow ReadAndExecute, Synchronize"
B> My understanding of the where clause using the -contains switch
B> should return the object where the condition is met.
B>
B> Again any advice would be most appreciated.
B>
B> Thanks,
B>
B> Ben.
B>

Brazil

2008-07-22 11:12:57 UTC

Permalink

Shay,

Once again, thanks for your help.

Ben.

Brazil

2008-07-22 15:01:52 UTC

Permalink

I've got another question at the moment. Some of the folders on my
fileserver have a "[" in the folder name. The script fails when
getting to this point. I have read that it is possible to escape this
character. How could this be done at runtime during the execution of
the script?

Thanks,
Ben.

Brazil

2008-07-22 15:54:07 UTC

Permalink

I've also noticed that once the security group is found on the parent
folder it doesnt traverse the sub folders but it just goes on to the
next folder.

This is my code now:

$ofile = $MyInvocation.MyCommand.Definition.substring(0,
($MyInvocation.MyCommand.Definition.length - 3)) + "txt"
$strFolder = "\\pdgbdc1offfp01\f$\Departmental_GB"
$strGroup = "GROUPA"

get-childitem $strFolder -recurse | where{$_.Psiscontainer} | get-acl
| where {$_.AccessToString -match $StrGroup} | select
path,accesstostring | export-csv $ofile

I have also found the following which will allow escaping of
characters but am not sure where to place it:
[Management.Automation.WildcardPattern]::Escape

Thanks,

Ben.

Brazil

2008-07-22 15:57:26 UTC

Permalink

I've also noticed that once the security group is found on the parent
folder it doesnt traverse the sub folders but it just goes on to the
next folder.

This is my code now:

$ofile = $MyInvocation.MyCommand.Definition.substring(0,
($MyInvocation.MyCommand.Definition.length - 3)) + "txt"
$strFolder = "\\FileServer\f$\Departmental_GB"
$strGroup = "GROUPA"

get-childitem $strFolder -recurse | where{$_.Psiscontainer} | get-acl
| where {$_.AccessToString -match $StrGroup} | select
path,accesstostring | export-csv $ofile

I have also found the following which will allow escaping of
characters but am not sure where to place it:
[Management.Automation.WildcardPattern]::Escape

Thanks,

Ben.

Shay Levy [MVP]

2008-07-23 11:15:22 UTC

Permalink

Hi Brazil,

To escape the opening/closing bracket add double backticks infront of the
bracket, this gets all files/dirs which has an opening bracket
in the name, but that won't work with Get-Acl, it has no output :(

dir '*``[*' | get-acl

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic

B> I've also noticed that once the security group is found on the parent
B> folder it doesnt traverse the sub folders but it just goes on to the
B> next folder.
B>
B> This is my code now:
B>
B> $ofile = $MyInvocation.MyCommand.Definition.substring(0,
B> ($MyInvocation.MyCommand.Definition.length - 3)) + "txt"
B> $strFolder = "\\FileServer\f$\Departmental_GB"
B> $strGroup = "GROUPA"
B> get-childitem $strFolder -recurse | where{$_.Psiscontainer} | get-acl
B> | where {$_.AccessToString -match $StrGroup} | select
B> path,accesstostring | export-csv $ofile
B>
B> I have also found the following which will allow escaping of
B> characters but am not sure where to place it:
B> [Management.Automation.WildcardPattern]::Escape
B>
B> Thanks,
B>
B> Ben.
B>