Author Posts

March 1, 2017 at 8:12 pm

I am trying to come up with a way to look for anomalies in file shares.

The files should subfolders will have inherited their permission from the root, but I'm looking to see if any folders/files differ.

I can get the permissions using a simple get-acl, but I was wondering how can i compare the permission with a subfolder?

#gets root folder's permissions
$rootPermissions = (get-acl '\\fileserver\share1').access

$subfolders = get-childitem -recurse '\\fileserver\share1'

foreach($subfolder in $subfolders)
{
    #somehow compare?
    compare $rootpermissions with $subfolder.access
    if not a match
    {
      "$subfolder has different permission"
    }
}

A mixture of pseudo code there, but any suggestions on how to compare the permissions of the root to each subfolder's?

Edit: The only 2 properties I really need to look at is identityreference and AccessControlType

So if root has

Accesscontroltype Identityreference
Allow domain\user1
Allow domain\user2

and sub has
Accesscontroltype Identityreference
Allow domain\user1
Allow domain\user2
Allow domain\user3

It would alert that 'subfolder has User3' and say it was missing domain\user2 it would alert that as well.

March 1, 2017 at 8:55 pm

Maybe this could help?

#gets root folder's permissions
$rootPermissions = (get-acl '\\fileserver\share1').access

$subfolders = get-childitem -recurse '\\fileserver\share1'

foreach($subfolder in $subfolders)
{
    $folder = (get-acl $subfolder.fullname).access
    #somehow compare
    $compare = compare-object -ReferenceObject $rootpermissions -DifferenceObject $folder
    
    
    if($compare.SideIndicator -eq "=>"){
    Write-output "$($subfolder.name) has different permission"
    }
       
}