Get-ACL advice

Welcome Forums General PowerShell Q&A Get-ACL advice

This topic contains 4 replies, has 4 voices, and was last updated by

1 year, 11 months ago.

  • Author
  • #69111

    Points: 66
    Rank: Member

    Word has got out in my office that I am the PowerShell guy and requests are coming in more frequently now.

    Most recent request is that they would like a report of ALL folders that have the permission 'Everyone' assigned as an NTFS permission.

    My immediate thought is to do something like this.

    This is my rough draft

    $Directories = get-childitem C:\utility -Directory -Recurse
    foreach ($folder in $Directories)
        $acl = get-acl $folder.FullName
        foreach ($access in $acl.Access)
                if ($access.IdentityReference -eq 'Everyone')

    However, some of these could be HUGE data servers this will run on and that first command is like doing a recursive dir at the root level and would take forever for that variable to populate.

    Can anyone recommend an more expedient way to do this?

  • #69115

    Points: 41
    Rank: Member

    Not a job for PowerShell IMHO. Use AccessEnum from Sysinternals:

  • #69117

    Points: 1
    Rank: Member

    If I was not going out of town I will dig-in and really help. I have been meaning to create a function to do actually what you want. Here's a few items that may get on the right \\path

    new seversget-smbshare maybe helpful

    Look at the function/module I posted on powershell gallery (Find-SMBShare). If I wrote find-smbshare correctly the output maybe really useful, if not it will show you the cim-instance for finding shares on servers. Really old servers you can use wmi, which is still"win32-share"

    You can get the local path of all the shares on a computer with the class win32_share

     get-ciminstance -classname win32_share

    It seems like this may be how to limit searching the whole root of servers. Maybe find all non-admin shares, then get the acl of each one.

    Good Luck.

  • #69129

    Points: 66
    Rank: Member

    These are not shares I am looking for. I am looking for all folders and subfolders that have the permission 'everyone' assigned to them. They may or may not be a share.

  • #69145

    Points: 364
    Helping Hand
    Rank: Contributor

    Maybe break it up in smaller pieces might speed things up.
    But it kind of depends on how the directory tree i structured.


    1. on the initial path, don't do a recursive lookup.
    2. Add another foreach loop before the current and then do a seperate directory lookup with recursive.

    So basically you stagger the lookup one level rather than doing the whole lot in on go.
    If the tree structure is really deep you probably are going to end up hitting the limit of 260 characters in the path for get-acl and get-childitem.

The topic ‘Get-ACL advice’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort