We have multiple AD-Groups which we are not sure if they still have some permissions on our fileshare server. Now I want to find the folders and I want to filter the security groups on folter but it doesn't work. I'm a newbie with powershell
I tried with
get-acl | where-object access -like users
but nothing, not even error
GET-ACL | Where-Object {$_.Access -match "users"}
also didn't work. What am I doing wrong?
Related
I have successfully retrieved a list of folders from the selected drive and would like to iterate over this list for a list of groups or user names with access to the folder. What this means is that I am checking the permissions of each folder within the drive. Below is the code that I currently have.
#Import active directory module for running AD cmdlets
Import-Module activedirectory
#Get list of folders from the O drive
$folders = Get-ChildItem –Directory "O:\" | Select-Object -ExpandProperty Name
#for each folder retrieve the groups then export
ForEach ($folder in $folders)
{
$groups = Get-ACL "O:\$folder" | %{ $_.Access } | ft -property IdentityReference, AccessControlType, FileSystemRights
$folder | Export-CSV -Path FolderMembership.csv -Append
$groups | Export-CSV -Path FolderMembership.csv -Append
}
pause
When I run this code my csv file is filled with a length number and in between each length number are an arbitrary number of spaces that I believe coincide with the number of security groups for the folder that was supposed to be there. Can anyone help me figure out what is wrong with my get-ACL command? Also if there is a better command for this I would be happy to know what it is!
I'm working with a local machine as an Administrator. After I remove a program with Windows or a 3rd party tool, there are always registry remnants. I want to query the HKCU and HKLM hives for any keys, values and data left behind. That part is fine. But when I run GCI | Where, somewhere between a half dozen to a few dozen errors result along with the hits. They are all keys that I don't have permission to view, although if I manually go to Regedit it tells me I can still change the permissions. Then I take the GCI results and run Get-ACL to check that I have RegistryRights=FullControl and AccessControlType=Allow to confirm I will be able to delete those keys.
Q1: Is it possible to run GCI with whatever pipes that would "skip" those keys I don't have permissions for?
Q2: If I only want permissions to view those keys so I can check if they meet the search criteria, how do I do that?
I'd like to be able to scan the hives for keys that would return $null as the IdentityReference value for my roles (Administrator, Creator Owner). Possible? Then I would know what keys I need to change permissions on even to just read.
Sample commands:
Get-ChildItem -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows' -Recurse | Where-Object { $_.Name -Match '[search terms]' }
Get-Acl 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows' | select -expand access | Where {$_.identityreference -notcontains "CREATOR OWNER | BUILTIN\Administrators"}
I am trying to get the advanced permission of the folders but can't seem to find a way.
$acl = (Get-ACL -Path $path).Access | Where-Object -Property IdentityReference -match $user
Currently on this which only provides the basic permission.
Tried this [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights] but it only list all the available advanced permission instead of the permissions assigned.
I am not a programmer, I must of taken a wrong turn! So that's out of the way, how on earth is there not an easy way to take a set of network folders and pipe out a list of AD security groups that are applied to it? I have googled my butt off but there are a million similar questions and i have tested a few scripts but cant get exactly what i want or a lot of errors. We have a top level directory of about 7 folders and security is about 3 levels deep. We want to cleanup unused or orphaned security groups out of AD TOOLS, and try to get a feel of what is used and what is not. Attempting a "Network drive cleanup" at my Organization.
What is the best way to accomplish this? I tried this in PS
Get-ChildItem "\\wfs.company.ca\adv\workgroups\adv services" -recurse | ForEach-Object {Get-Acl $_.FullName} | Export-CSV C:\"adv services".csv
It worked but gave me too much info and not specific Group names.
and i also tried something like this which just produced errors.
# Scope options are Universal, DomainLocal,Global
# Get-GroupMember -Scope DomainLocal
Function Get-GroupMember{
Param(
[parameter(Mandatory=$true)]
[string]
$scope
)
$Groups = Get-ADGroup -Filter {GroupScope -eq $scope -and Members -ne "NULL"} -Properties Name |
Select-Object Name, #{Name="GroupMembers";Expression={(Get-ADGroupMember -Identity "$_" |
Select-Object -ExpandProperty SamAccountName) -join "`n"}}
}
$Groups | Format-Table -AutoSize -Wrap
$Groups | Out-GridView
$Groups | Export-Csv C:\groups.csv -NoTypeInformation
I dont mind putting in the work and research i just dont know where to start.
Any pointers much appreciated.
Thanks!
You could use this to get a unique list of applied identities (groups and users):
(Get-ChildItem "\\wfs.company.ca\adv\workgroups\adv services" -Recurse | Get-Acl).Access.IdentityReference | select -Unique
Furthermore, you could use Get-ADGroup or other ways to check if it's a group or user.
I am trying to get the ACL of a set of folders to see if a specific user is listed
For example
Users
|
---Person1
---Person2
---Person3
Person1 to 3 are home folders. We recently ran an icacls command to modify the folder permission. Some of them have the owner set to "IT Employee" instead of Person1
If it was only 3 folders, I would do this manually. However there are at least 1000 folders and manually would not be feasible to get the data back in a timely manner.
Basically there are 6 IT Employees and I want to make sure their name is not in any Person home folder (or it's sub folders). If it is there then I want to be able to remove them or at least get a console log.
I am using PowerShell 2 on Windows Server 2008
I can also execute VBScript or JavaScript
You could try something like this to get you started. I'm not connected to a network with a file server atm., so I'm not sure if Owner and IdentityReference contains DOMAIN\Username or SID (this happends for non-exisiting users, ex. deleted ones). I get <DOMAIN or ComputerName>\Username when I run it on m local machine. You may have to modify it to handle that.
$rootpath = "c:\users"
#Get all folders
Get-ChildItem -Path $rootpath -Recurse | Where-Object { $_.PSIsContainer }
#Get ACL for the folders
Get-Acl |
#Find ACLs with IT Employee-reference
Where-Object {
#Check if owner matches 'IT Employee' or ACL Access rules contains 'IT Employee'
if(($_.Owner -match 'IT Employee') -or ($_.Access | Where-Object { $_.IdentityReference.Value -match 'IT Employee' })) { $_ }
} |
#Process
ForEach-Object {
#Show folderpath...
$_.Path
#Here you could access the ACL-object $_, modify it (change owner/remove access rules) and save it by using 'Set-Acl -Path $_.Path -AclObject $_' etc.
}