Get-ACL advice

This topic contains 4 replies, has 4 voices, and was last updated by Profile photo of Fredrik Kacsmarck Fredrik Kacsmarck 2 months, 1 week ago.

  • Author
    Posts
  • #69111
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    Word has got out in my office that I am the PowerShell guy and requests are coming in more frequently now.

    Most recent request is that they would like a report of ALL folders that have the permission 'Everyone' assigned as an NTFS permission.

    My immediate thought is to do something like this.

    This is my rough draft

    $Directories = get-childitem C:\utility -Directory -Recurse
    
    foreach ($folder in $Directories)
    {
        
        $acl = get-acl $folder.FullName
        
        foreach ($access in $acl.Access)
        {
                if ($access.IdentityReference -eq 'Everyone')
                {
                    $folder.Fullname            
                    $access
                }        
        }
       
    }

    However, some of these could be HUGE data servers this will run on and that first command is like doing a recursive dir at the root level and would take forever for that variable to populate.

    Can anyone recommend an more expedient way to do this?

  • #69115
    Profile photo of Matt Bloomfield
    Matt Bloomfield
    Participant

    Not a job for PowerShell IMHO. Use AccessEnum from Sysinternals:
    https://technet.microsoft.com/en-us/sysinternals/accessenum.aspx

  • #69117
    Profile photo of Frank Tucker
    Frank Tucker
    Participant

    If I was not going out of town I will dig-in and really help. I have been meaning to create a function to do actually what you want. Here's a few items that may get on the right \\path

    new seversget-smbshare maybe helpful

    Look at the function/module I posted on powershell gallery (Find-SMBShare). If I wrote find-smbshare correctly the output maybe really useful, if not it will show you the cim-instance for finding shares on servers. Really old servers you can use wmi, which is still"win32-share"

    You can get the local path of all the shares on a computer with the class win32_share

     get-ciminstance -classname win32_share

    It seems like this may be how to limit searching the whole root of servers. Maybe find all non-admin shares, then get the acl of each one.

    Good Luck.

  • #69129
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    These are not shares I am looking for. I am looking for all folders and subfolders that have the permission 'everyone' assigned to them. They may or may not be a share.

  • #69145
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Maybe break it up in smaller pieces might speed things up.
    But it kind of depends on how the directory tree i structured.

    E.g.

    1. on the initial path, don't do a recursive lookup.
    2. Add another foreach loop before the current and then do a seperate directory lookup with recursive.

    So basically you stagger the lookup one level rather than doing the whole lot in on go.
    If the tree structure is really deep you probably are going to end up hitting the limit of 260 characters in the path for get-acl and get-childitem.

You must be logged in to reply to this topic.