error handling during get-acl access denied

This topic contains 3 replies, has 4 voices, and was last updated by Profile photo of Rohn Edwards Rohn Edwards 6 months, 3 weeks ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #35948
    Profile photo of Partho Sankar Roy
    Partho Sankar Roy
    Participant

    Hi Guys,

    I am trying to query for a list of users/groups having access to some shared location. However in some folders even administrator doesnt have permission, So the script I have come up with will skip those files/folders, but I am not sure why its not logging in to error.log. Any idea ?

    $success = @()
    $failed = @()

    gci $vStartingPath -recurse|

    foreach-object {

    $success = @()
    $failed = @()
    foreach-object {

    if (get-acl $_.fullname){
    $success += get-acl $_.fullname |select pschildname, pspath, accesstostring
    }
    else {$failed += "Failed to get ACL on $($_.fullname)"}
    }

    $success | export-csv "C:\WINDOWS\system32\WindowsPowerShell\v1.0\vHope.csv"
    $failed | out-file error.log

    #35949
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Look through "The Big Book of PowerShell Error Handling" (Resources menu, eBooks item) here for information on how to handle errors in script.

    #35952
    Profile photo of random commandline
    random commandline
    Participant
    # Export ACLs to csv and errors to txt file
    Get-ChildItem $vStartingPath -Recurse -ErrorAction SilentlyContinue -ErrorVariable +failederrors | ForEach-Object {Get-acl -Path $_.FullName | 
    Select-Object pschildname,pspath,accesstostring} | Export-Csv .\ACL.csv -NoTypeInformation
    $failederrors.exception | out-file .\failederrors.txt
    
    #35962
    Profile photo of Rohn Edwards
    Rohn Edwards
    Participant

    If you want to take a different approach, you might try to get version 4.0 of the PowerShell Access Control Module (source available here).

    One of the features it offers is enabling the SeBackupPrivilege, which will let you completely ignore the DACLs on the files and folders that are giving you trouble (of course you have to have been granted that privilege, which is usually only for admins and/or backup operators). An example of using it to export all of the ACEs for your $vStartingPath location would look like this:

    gci $vStartingPath -Recurse | 
        Get-PacAccessControlEntry -PacSDOption (New-PacSDOption -BypassAclCheck) | 
        Export-Csv c:\powershell\permissions.csv -NoTypeInformation
    
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.