Welcome › Forums › General PowerShell Q&A › Filtering AD ACL Object to be excluded from the Get-ACL result?
- This topic has 4 replies, 3 voices, and was last updated 4 months ago by
Participant.
-
AuthorPosts
-
-
September 14, 2020 at 9:00 am #256391
Hi Everyone,
I need to exclude the certain pattern result of the below script to export the Explicitly defined ACL that is already working.
Script:
PowerShell123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657$Excludes = 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'CREATOR OWNER', 'Everyone', 'S-1-5-21'$reExcludeObjects = '^({0})$' -f (($Excludes | ForEach-Object { [regex]::Escape($_) }) -join '|')function Get-CustomDirInfo([IO.DirectoryInfo]$path, $parentAcl){$containerInherit = [Security.AccessControl.InheritanceFlags]::ContainerInherit$acl = (Get-Acl -Path $path.FullName).Access | Foreach-Object {New-Object PSObject -Property @{Path = $path.FullName;IdentityReference = $_.IdentityReference;FileSystemRights = $_.FileSystemRights;IsInherited = $_.IsInherited;InheritanceFlags = $_.InheritanceFlags;InheritedFrom = if ($_.IsInherited){if ($parentAcl){$current = $_$parentAce = $parentAcl | Where-Object {($current.IdentityReference -eq $_.IdentityReference) -and($current.FileSystemRights -band $_.FileSystemRights) -and($_.InheritanceFlags -band $containerInherit) -and($_.IdentityReference -notmatch $reExcludeObjects)}if (!$parentAce -or ($parentAce.count -gt 1)){Write-Warning "Something is not right Parent ACE Count = $($parentAce.count) - $($path.FullName)"#Export the broken direcotries path as unique entries$BrokenACLDirectories += $path.FullName$BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV -Title "There are $($BrokenACLDirectories.Count) Broken Directories"}if ($parentAce.IsInherited){$parentAce.InheritedFrom}else{Split-Path $path.FullName -Parent}}else{"Unknown (Top:$($path.FullName))"}}else {"Not Inherited"}}}$acl$inheritableAcl = $acl | Where-Object { $_.InheritanceFlags -band $containerInherit }$path.FullName | Get-ChildItem | Where-Object { $_.PsIsContainer } | Foreach-Object { Get-CustomDirInfo $_ $inheritableAcl }}Get-CustomDirInfo (Get-Item F:\FileShare\Corporate) | ft Path, IdentityReference, FileSystemRights, IsInherited, InheritedFrom -AutoHowever, even with the above script RegEx filtering, the result is still the same?
Also in Line #28, the OGV is not showing the unique directory which is throwing error:
PowerShell123456Select-Object : Property "FullName" cannot be found.At line:30 char:49+ ... $BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV - ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidArgument: (F:\FileShare\Shared-Dir\W3SVC71:PSObject) [Select-Object], PSArgumentException+ FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommandThank you in advance,
-
September 14, 2020 at 2:39 pm #256520
The filter can be done like so:
PowerShell12(Get-Acl -Path C:\Scripts).Access |Where{$Excludes -notcontains $_.IdentityReference}This code:
PowerShell123#Export the broken direcotries path as unique entries$BrokenACLDirectories += $path.FullName$BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV -Title "There are $($BrokenACLDirectories.Count) Broken Directories"First, there is no where in the code provided that $BrokenACLDirectories is defined, so I would think there would be an error about op_addition when you attempt to append to it. If it is defined and you are appending with +=, it’s an array, not an object. The logic for InheritedFrom could use some work. Recommend you work on collecting information in the function so that you can filter what directories are ‘broken’ rather than doing to much analysis when collecting acls as it’s typically time consuming.
-
September 14, 2020 at 3:10 pm #256535
When you crosspost, you should link that post at a minimum.
You already have 2 great answers there. If you’re unwilling to take the time to understand them, then please don’t try to get more people to waste their time. As per your screenshot, you are creating a custom identity reference. It’s no longer just the identity, you have added “CreateFile, AppendData, ReadAndExecute,” as well as “DeletedSubdirectoriesAndFiles, Modify,” to the identityreference property. For those that don’t have that added, I would assume a space is added since you are clearly tacking text onto the end of those. What I said in the comment on Theo’s answer is to use the regex match, but you must remove the $ from the exclusion variable as that indicates THE END OF THE LINE. Since the identity reference IS NOT THE END OF THE LINE, this will never match.
Again, I’m specifically referring to
$reExcludeObjects = ‘^({0})$’ -f (($Excludes | ForEach-Object { [regex]::Escape($_) }) -join ‘|’)
Therefore, this here will never match
PowerShell1"NT AUTHORITY\system " -match $reExcludeObjectsHowever, if you change the line as I suggested, removing the $…
PowerShell123456$Excludes = 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'CREATOR OWNER', 'Everyone', 'S-1-5-21'$reExcludeObjects = '^({0})' -f (($Excludes | ForEach-Object { [regex]::Escape($_) }) -join '|')"NT AUTHORITY\System " -match $reExcludeObjectsTrueAnd it doesn’t matter that you’ve added text onto this property. Even this will match
PowerShell123"NT AUTHORITY\SystemPleaseReadAndTest" -match $reExcludeObjectsTrueSo please, please, please take a few minutes to try the suggestion. Remove the end of line marker from the code, and hopefully you will have your desired result.
-
September 15, 2020 at 9:29 am #256688
@Rob,
Yes, I’m still confused and no sure what to do to gather all of those broken ACL directories into OGV or .CSV file.
Hence I need some help in the below code:
PowerShell1234567if (!$parentAce -or ($parentAce.count -gt 1)){Write-Warning "Something is not right Parent ACE Count = $($parentAce.count) - $($path.FullName)"#Export the broken direcotries path as unique entries$BrokenACLDirectories += $path.FullName$BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV -Title "There are $($BrokenACLDirectories.Count) Broken Directories"} -
September 15, 2020 at 10:03 am #256703
The logic for InheritedFrom could use some work. Recommend you work on collecting information in the function so that you can filter what directories are ‘broken’ rather than doing too much analysis when collecting acls as it’s typically time-consuming.
I will create another post topic or thread for the above.
-
-
AuthorPosts
- The topic ‘Filtering AD ACL Object to be excluded from the Get-ACL result?’ is closed to new replies.