Find 'Deny' rights on a list of folders

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Max Kozlov Max Kozlov 7 months ago.

  • Author
    Posts
  • #60771
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    I have a project whose description is this:

    1. Declare a folder and one level deep, do a search on each subfolder looking for any permission that has Deny Rights. List the folder name, the Group/user that is denied, the Permission that is denied and the Deny Writes.
    2. Also, if the folder has NO Deny rights for Any Group or user, please indicate so.

    Number 2 is the problem I am having and it has more to do with Tracking when the script has or hasn't found a 'Deny' credential for the folder. This is what I have so far

    #Get list of folders and acquire Access Controls lists for each folder
    $acls = get-childitem .\Custom | Get-Acl
    
    
    #Iterate through Each ACL
    foreach ($acl in $acls)
        {
        
    
        #Iterate through each ACS's access control and test for any 'Deny' Right.
        foreach ($access in $acl.Access)
         {
              if ($access.AccessControlType -eq "Deny")
                {  
                    #IF a Deny is found, list the Name of Folder, the Access and the file system right that is denied 
                    $acl.pschildname
                    $access.IdentityReference.value
                    $access.FileSystemRights
                    $access.AccessControlType
       
                }
    
            }
    
        }    

    From this, I tried declaring a 'Deny Toggle' and setting it to False and if a permission was found with deny privileges, it would change that 'Deny Toggle' to True, but then the for loop doesn't really give me an opportunity to report on a folder that does not have ANY deny rights. I believe I might have to consider a different method than a for-loop but this is where my experience with PowerShell is restraining me. My experience lies mostly with for-loops and if-then-else statements.

  • #60781
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    is it what you want ?
    look for $NoDeny flag

    #Get list of folders and acquire Access Controls lists for each folder
    $acls = get-childitem .\Custom | Get-Acl
    
    
    #Iterate through Each ACL
    foreach ($acl in $acls)
        {
        
        # define flag
        $NoDeny = $true
    
        #Iterate through each ACS's access control and test for any 'Deny' Right.
        foreach ($access in $acl.Access)
         {
              if ($access.AccessControlType -eq "Deny")
              {  
                    #IF a Deny is found, list the Name of Folder, the Access and the file system right that is denied 
                    $acl.pschildname
                    $access.IdentityReference.value
                    $access.FileSystemRights
                    $access.AccessControlType
                    # set flag
                    $NoDeny = $false
              }
        }
        if ($NoDeny) {  # check flag
            'No deny at all for {0}' -f $acl.Path
        }
    }
    

You must be logged in to reply to this topic.