I'm trying to list all users who have access to a specific directory and the subfolders in this directory.
I've found this website that shows me how to do this pretty well. But I want to modify this script slightly so I can exclude certain built-in Windows users from the output.
So I found another link on StackOverflow that shows how to exclude a list of users from the results. But when I add the -notmatch to the existing PS script, the Group/User changes from the actual username to True or False for some reason.
What can I do to have this script filter out the users in the $ignore variable and have the Group/User show the username?
$ignore = #('BUILTIN\Administrators','CREATOR OWNER')
$ExcludeUsersRegex = ($ignore | % { [regex]::Escape($_) }) -join '|'
$FolderPath = Get-ChildItem -Directory -Path "D:\MSSQL" -Recurse -Force
$Output = #()
ForEach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
ForEach ($Access in $Acl.Access) {
$Properties = [ordered]#{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference -notmatch $ExcludeUsersRegex;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
#$Properties = [ordered]#{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Output += New-Object -TypeName PSObject -Property $Properties
}
}
$Output | Out-GridView
You can filter at the loop level, so undesirable users aren't iterated through the loop.
ForEach($Access in ($Acl.Access|Where{$_.IdentityReference -notmatch $ExcludeUsersRegex})) {
That filters out the accesses that match a specific user name.
Related
Still new to powershell and I am needing to do a security report and find all the permissions applied to all folders within a drive and then export it onto an excel document. The command I've got so far includes files but all the files are setup to inherit from the folder they are in. What im hoping to do is for it to ignore all the files that include .txt, .msg, .doc, .xlsx etc etc.
Also hoping with the groups it pulls in to use the Get-Adgroupmember on it so that I can see who is in the group and also export this to the excel file in the column next to it.
$FilePath = Get-childitem "\\C:\Downloads\TEST" -Recurse
ForEach ($File in $FilePath) {
$Acl = Get-Acl -Path $File.FullName
ForEach ($Access in $Acl.Access) {
$Properties = [ordered]#{'File Name' = $File.FullName; 'Group/User' = $Access.IdentityReference; 'Permissions' = $Access.FileSystemRights; 'Inherited' = $Access.IsInherited }
New-Object -TypeName PSObject -Property $Properties | Export-Csv "C:\Downloads\FinanceResult.csv" -append -NoTypeInformation
}
}
I'm looking to apply NTFS folder permissions using PowerShell, there are different sec groups for each of the folders. What i'm looking to do is to be able to say IF security group matches folder name which contains add permissions. Below is the code I have currently, just doing the foreach loop works but adds the sec groups to each of the folders which isn't what I want.
$folderpath = $datafromcsv.contentpath
foreach ($folder in $folderpath) {
if ($GroupName.StartsWith(DATA-$row.FolderName){
$dfsnfolder = Get-Acl -path $folder.Contains($row.FolderName)
$applysecgrouppermissions = New-Object System.Security.AccessControl.FileSystemAccessRule("Russells.com\$GroupName","ReadData","ContainerInherit","None","Allow")
$dfsnfolder.SetAccessRule($applysecgrouppermissions)
$dfsnfolder | Set-Acl $folder
}
}
This should do it if I understood everything correctly.
foreach ($folder in $datafromcsv) {
$dfsnfolder = Get-Acl -path $folder.contentpath
$filter = $GroupName | ? {$_ -like "$($folder.FolderName)*"} // I'm assuming $GroupName contains an array with all the AD group names.
foreach ($g in $filter) {
$applysecgrouppermissions = New-Object System.Security.AccessControl.FileSystemAccessRule("Russells.com\$g","ReadData","ContainerInherit","None","Allow")
$dfsnfolder.SetAccessRule($applysecgrouppermissions)
$dfsnfolder | Set-Acl $folder.contentpath
}
}
I have some shared files set up for me for testing purposes, on a Windows Server 2016.
My given task is to get all the users, and their access rights to there shared files/folders.
I get the shared files with
Get-SmbShare | Select-Object -Property Name, Path
What I think I should do, is passing each share's path into
Get-Acl
So I came up with this:
$shares = Get-SmbShare | Where-Object Name -notlike "*$" | Select-Object Name
foreach ($share in $shares){
$path = "\\$env:COMPUTERNAME\" + $share.Name.ToString()
$FolderPath = dir -Directory -Path $path -Recurse -Force
Foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
$Folder.FullName;
$Access.IdentityReference;
$Access.FileSystemRights;
$Access.IsInherited
}
}
}
My question is: How could I format this output, so it looks readable, and/or is there a simpler, maybe cleaner to do what I intend to do?
Basically at my new work we have a shared network area with individual folders for each department. Each folder has multiple sub folders. The problem is the previous manager assigned 'full access' security rights on each folder and subfolder to absolutely everyone, including the 'everyone' group. I'd like to change the 'full access' security permissions for modify, but not for certain security groups like domain admins and certain other security groups.
I have some code in PowerShell that gives me a list of which groups have full access permissions but I need to be able to take that list and change them to modify.
This is what I shamelessly stole and modified from someone else.
$path = "\\srv-shared\sharedfolders"
$ExcludeUsers = 'Domain\Domain Admins',
'NT AUTHORITY\SYSTEM',
'BUILTIN\Administrator',
'domain\Administrator'
# Create regex-pattern to match all excluded users
$ExcludeUsersRegex = ($ExcludeUsers | % { [regex]::Escape($_) }) -join '|'
Get-Childitem $path -Recurse -Directory | ForEach-Object {
$file = $_
Get-Acl -Path $file.FullName |
Select-Object -ExpandProperty Access |
Where-Object {
$_.IdentityReference -notmatch $ExcludeUsersRegex -and
$_.AccessControlType -eq "Allow" -and
$_.FileSystemRights -eq "FullControl"
} | ForEach-Object {
#Foreach ACL
New-Object psobject -Property #{
Path = $file.FullName
ACL = $_.IdentityReference
}
}
} | Select-Object -Property Path, ACL | Export-Csv e:\check_acl.csv -NoTypeInformation
Basically in the #Foreach ACL section i need it to change the full access permission for the group/user its just found and change it to modify instead.
At work we have a folder with lots of subfolders named like "MeyerS". (Lastname and the first letter of surname)
When I take a look at Get-ChildItem $path | Get-Acl the username equals the subfolder-name. But there is also a "SCHUELER\" in front of "MeyerS". This is what the output looks like a.e.: SCHUELER\MeyerS Allow Write, ReadAndExecute, Synchronize
Some subfolders don't have this kind of username. Now I want to output all these subfolders without this username- "combination".
With my first codesnippet I get all of them, but I really just want these specific ones.
I checked some similar questions, and found something. I modified it, but it shows all subfolders just without SCHUELER\MeyerS. I think I just need a small push to the right way.
The code so far:
$path = "R:\HOME"
$folders = Get-ChildItem $path | where {$_.psiscontainer}
foreach ($folder in $folders){
$domain = "domname"
$aclname = "ACLname"
$aclfullname ="$domain\$aclname"
Get-Acl | select -ExpandProperty Access | where {$_.identityreference -notcontains $aclfullname}
Write-Host $folder.FullName}
Short note: I tried a lot of variations with -noteq or -notlike.
What do I have to change?
If there is already an answer I really didn't know.
Sometimes it's really hard to enunciate yourself in another language. I hope you get my point.
Thanks.
$path = "R:\HOME"
$folders = Get-ChildItem $path | where {$_.psiscontainer}
foreach ($folder in $folders)
{
$domain = "domname"
$aclname = "ACLname"
$aclfullname ="$domain\$aclname"
$FoldersWithAclFullName = $null
$FoldersWithAclFullName = Get-Acl -Path $Folder `
| Select-Object -ExpandProperty Access `
| Where-Object -Property IdentityReference -ne -Value $aclfullname
if ( -not $FoldersWithAclFullName )
{
Write-Host $folder.FullName
}
}