Author Posts

January 11, 2016 at 6:39 am

Hi,

I can't seem to figure out how to match a value against an array of values in the where clause.
Basically I want to check the NTFS permissions on each folder against a list of excluded keywords.
For example: If the account BUILTIN\Administrators has rights on a subfolder it should be omitted, because the array $ACLExcludes contains the keyword "BUILTIN".

This is my code:

Clear-Host

Function Get-MyChildItem
{
  param
  (
    [Parameter(Mandatory = $true)]
    [String]$Path,
    [System.Int32]$MaxDepth = 3,
    [System.Int32]$Depth = 0
  )

    $Depth++

    if ($Depth -le $MaxDepth)
    {
        try
        {
            $Subfolders = Get-ChildItem -path $Path -Directory -ErrorAction stop
            foreach ($SubFolder in $SubFolders)
            {
                Write-Host $Subfolder.FullName -BackgroundColor Green
                (Get-Acl $Subfolder.FullName).Access | Where { $_.identityreference.value -notmatch $ACLExcludes } | foreach { Write-Host $_.identityreference.value }
                Get-MyChildItem -Path $SubFolder.FullName -Depth $Depth -MaxDepth $MaxDepth
            }
        }
        catch
        {
            Write-Host "An error occurred for folder" $SubFolder.FullName ":" $_ -BackgroundColor Red
        }
    }
}

$RootFolder = "C:\ROOTFOLDER"
$ACLExcludes = "BUILTIN","NT AUTHORITY","CREATOR OWNER"
Get-MyChildItem -Path $RootFolder -MaxDepth 2

January 11, 2016 at 8:51 am

I just found the answer myself:

Function Get-MyChildItem
{
  param
  (
    [Parameter(Mandatory = $true)]
    [String]$Path,
    [System.Int32]$MaxDepth = 3,
    [System.Int32]$Depth = 0
  )

    $Depth++

    if ($Depth -le $MaxDepth)
    {
        try
        {
            $Subfolders = Get-ChildItem -path $Path -Directory -ErrorAction stop
            foreach ($SubFolder in $SubFolders)
            {
                
                $Permissions = (Get-Acl $Subfolder.FullName).AccessToString.Split("`r`n") | Select-String -pattern $ACLExcludes -NotMatch
                If ($Permissions.count -gt 0)
                {
                    Write-Host $Subfolder.FullName -BackgroundColor Green
                    Write-host $Permissions
                }
                Get-MyChildItem -Path $SubFolder.FullName -Depth $Depth -MaxDepth $MaxDepth
            }
        }
        catch
        {
            Write-Host "An error occurred for folder" $SubFolder.FullName ":" $_ -BackgroundColor Red
        }
    }
}