Author Posts

March 2, 2016 at 10:33 am

Hi Guys,

I am trying to query for a list of users/groups having access to some shared location. However in some folders even administrator doesnt have permission, So the script I have come up with will skip those files/folders, but I am not sure why its not logging in to error.log. Any idea ?

$success = @()
$failed = @()

gci $vStartingPath -recurse|

foreach-object {

$success = @()
$failed = @()
foreach-object {

if (get-acl $_.fullname){
$success += get-acl $_.fullname |select pschildname, pspath, accesstostring
}
else {$failed += "Failed to get ACL on $($_.fullname)"}
}

$success | export-csv "C:\WINDOWS\system32\WindowsPowerShell\v1.0\vHope.csv"
$failed | out-file error.log

March 2, 2016 at 11:35 am

Look through "The Big Book of PowerShell Error Handling" (Resources menu, eBooks item) here for information on how to handle errors in script.

March 2, 2016 at 12:49 pm

# Export ACLs to csv and errors to txt file
Get-ChildItem $vStartingPath -Recurse -ErrorAction SilentlyContinue -ErrorVariable +failederrors | ForEach-Object {Get-acl -Path $_.FullName | 
Select-Object pschildname,pspath,accesstostring} | Export-Csv .\ACL.csv -NoTypeInformation
$failederrors.exception | out-file .\failederrors.txt

March 2, 2016 at 3:47 pm

If you want to take a different approach, you might try to get version 4.0 of the PowerShell Access Control Module (source available here).

One of the features it offers is enabling the SeBackupPrivilege, which will let you completely ignore the DACLs on the files and folders that are giving you trouble (of course you have to have been granted that privilege, which is usually only for admins and/or backup operators). An example of using it to export all of the ACEs for your $vStartingPath location would look like this:

gci $vStartingPath -Recurse | 
    Get-PacAccessControlEntry -PacSDOption (New-PacSDOption -BypassAclCheck) | 
    Export-Csv c:\powershell\permissions.csv -NoTypeInformation