error handling during get-acl access denied

This topic contains 3 replies, has 4 voices, and was last updated by  Rohn Edwards 2 years, 4 months ago.

  • Author
  • #35948

    Partho Sankar Roy

    Hi Guys,

    I am trying to query for a list of users/groups having access to some shared location. However in some folders even administrator doesnt have permission, So the script I have come up with will skip those files/folders, but I am not sure why its not logging in to error.log. Any idea ?

    $success = @()
    $failed = @()

    gci $vStartingPath -recurse|

    foreach-object {

    $success = @()
    $failed = @()
    foreach-object {

    if (get-acl $_.fullname){
    $success += get-acl $_.fullname |select pschildname, pspath, accesstostring
    else {$failed += "Failed to get ACL on $($_.fullname)"}

    $success | export-csv "C:\WINDOWS\system32\WindowsPowerShell\v1.0\vHope.csv"
    $failed | out-file error.log

  • #35949

    Don Jones

    Look through "The Big Book of PowerShell Error Handling" (Resources menu, eBooks item) here for information on how to handle errors in script.

  • #35952

    random commandline
    # Export ACLs to csv and errors to txt file
    Get-ChildItem $vStartingPath -Recurse -ErrorAction SilentlyContinue -ErrorVariable +failederrors | ForEach-Object {Get-acl -Path $_.FullName | 
    Select-Object pschildname,pspath,accesstostring} | Export-Csv .\ACL.csv -NoTypeInformation
    $failederrors.exception | out-file .\failederrors.txt
  • #35962

    Rohn Edwards

    If you want to take a different approach, you might try to get version 4.0 of the PowerShell Access Control Module (source available here).

    One of the features it offers is enabling the SeBackupPrivilege, which will let you completely ignore the DACLs on the files and folders that are giving you trouble (of course you have to have been granted that privilege, which is usually only for admins and/or backup operators). An example of using it to export all of the ACEs for your $vStartingPath location would look like this:

    gci $vStartingPath -Recurse | 
        Get-PacAccessControlEntry -PacSDOption (New-PacSDOption -BypassAclCheck) | 
        Export-Csv c:\powershell\permissions.csv -NoTypeInformation

You must be logged in to reply to this topic.