ACL on a folder

This topic contains 5 replies, has 5 voices, and was last updated by Profile photo of Lucien Janssens Lucien Janssens 1 year, 11 months ago.

  • Author
    Posts
  • #21528
    Profile photo of Lucien Janssens
    Lucien Janssens
    Participant

    Hello PowerShell gurus,

    I'm a newb on Powershell, looking for a function/script that accomplishes the following:

    Input is a folder or UNC path (get-childitem)
    The output should look like this (csv format, I need to import it in Excel or Access later on), i.e. an entry for each user/group that has access to the folder.

    "d:\MyPath\MyFolder","NT AUTHORITY\SYSTEM","Allow","Full Control"
    "d:\MyPath\MyFolder","ACME\Helpdesk","Allow","ReadAndExecute"
    "d:\MyPath\MyFolder","ACME\Helpdesk","Allow","Synchronize"
    "d:\MyPath\MyFolder","ACME\Domain Admins","Allow","Full Control"

    I think it would require to rewrite the scriptproperty 'AccessToString' from the get-ACL cmdlet.
    Anyone know how to do this (or has another neat solution) ?

    tx.
    BB

  • #21529
    Profile photo of Matt McNabb
    Matt McNabb
    Participant

    Here's a simple example:

    $Path = 'D:\MyPath\MyFolder'
    $CSVPath = 'C:\MyPath\Acl.csv'
    $ACL = Get-Acl -Path $Path 
    
    foreach ($Entry in $ACL.Access)
    {
        [PsCustomObject]@{
            Path = $Path
            IdentityReference = $Entry.IdentityReference
            AccessControlType = $Entry.AccessControlType
            FileSystemRights  = $Entry.FileSystemRights
        } | Export-Csv -Path $CSVPath -NoTypeInformation
    }
  • #21530
    Profile photo of Will Anderson
    Will Anderson
    Keymaster

    If you want to make a reuseable function though, you can take Matt's excellent example a little further:

    Function Get-FolderACL{[cmdletbinding[]]
    
        Param[
                [Parameter[Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True]][ValidateNotNullorEmpty[]][string[]]$Path
        ]#EndParam
    
    
            $Directory = Get-Acl -Path $Path
    
            ForEach[$Dir in $Directory.Access]{
                [PSCustomObject]@{
                    Path = $Path
                    Group = $Dir.IdentityReference
                    AccessType = $Dir.AccessControlType
                    Rights = $Dir.FileSystemRights
                    }
            }#EndForEach
    
    }#EndFunction

    Jeff Hicks just wrote an excellent article on building advanced functions. I highly recommend you give it a read:
    http://www.petri.com/creating-advance-functions-powershell.htm?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Petri+%28Petri+IT+Knowledgebase%29

  • #21541
    Profile photo of Brett Osiewicz
    Brett Osiewicz
    Participant

    You should also check Raimund Andrée's "File System Security PowerShell Module 3.2.2 " https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 on Microsoft's website.

    He updated it about two weeks ago. I had built a number of functions similar to yours, but will now use this module instead.

  • #21567
    Profile photo of Jarek C.
    Jarek C.
    Participant

    What if we need not only the .identityreference property but also all members in case it is a group? How do get this out? Can we somehow incorporate the below in the get-acl code?

    {Get-CimInstance -ClassName Win32_Group -Filter "Name = 'Adminis'" Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_Group | select -ExpandProperty Caption}

    Also when to use [PSCustomObject]@{} rather than Select-Object @{}?

  • #21653
    Profile photo of Lucien Janssens
    Lucien Janssens
    Participant

    Thank you all for your input; it has been very helpful.
    I'm definitely going to look into the Filesystem security module, because it seems to address some issues I came accross too (e.g. long pathnames)

You must be logged in to reply to this topic.