How to find where an AD group lives

This topic contains 5 replies, has 5 voices, and was last updated by  Aapeli Hietikko 7 months, 3 weeks ago.

  • Author
    Posts
  • #62247

    Matthew Reil
    Participant

    I'm trying to find a way to use PowerShell to scan the file server and show me where every instance of this certain Active Directory group is.

  • #62248

    Olaf Soyk
    Participant

    something like this?

    Get-ADGroup -Identity 'Your Ad-Group' -Properties * | Select-Object -Property Name,CanonicalName,DistinguishedName
  • #62260

    Ron
    Participant

    I think he means where the group is used in the file ACLs. You should be able to google "powershell ad group where used" and find a number of solutions.

  • #62266

    Don Jones
    Keymaster

    Yeah, this is unfortunately really hard. You're going to have to use Get-Acl against literally every file and folder on the server, and only keep the ones where your intended group exists. Windows isn't well-designed for this task.

  • #62886

    Aapeli Hietikko
    Participant

    Here is a script I created to fetch ACL from one folder. If you turn it to function and the loop list all your folders with get-childitem -recurse -directory and call the newly created function for each folder.

    $folder = "c:\temp"
    
    
    
    $csv = "$($folder.replace('\','_').replace(':','').replace(' ','')).csv"
    $collection = New-Object System.Collections.Generic.List[System.Object]
    $PermCollection = New-Object System.Collections.Generic.List[System.Object]
    
    foreach($access in (Get-Acl $FOLDER).Access) {
        $filerights = $access.FileSystemRights.ToString();
        $inheritanceFlg = $access.InheritanceFlags.ToString();
        if($inheritanceFlg -eq 'ContainerInherit') {
            $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
        }
        $output = $access.IdentityReference.ToString() + ';' + $filerights;
        $collection.add($output)
    }
    
    $col = $collection | where {$_ -like "MYDOM*" } 
        foreach ($c in $col) { 
            $ADOC = $c.split(";")[0].split("\")[1]
            $ADOACL = $($c.split(";")[1]) -replace ", Synchronize",""
            $ADO = get-adobject  -filter {CN -eq $ADOC}
    
            if ($ADO.objectClass -eq "user") {
                # write-output "$($ADO.name) $($ado.objectClass) $ADOACL"
    
                $obj = Get-ADUser $($ADO.name) -prop * |
                       select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={"MappedUser"};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"}
                
                $permCollection.add($obj)
                
                }
    
            if ($ADO.objectClass -eq "group") {
                # write-output "$($ADO.name) $($ado.objectClass) $ADOACL"
    
                Get-ADGroupMember -Identity $($ADO.name) -Recursive | 
                                Get-ADUser -prop * |
                                        select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={$($ADO.name)};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"} |
                                            foreach {
                                                $permCollection.add($_)
                                                }
                
                }
            
    
            } 
    
    $permCollection | export-csv $csv -notypeinformation -encoding "UTF8" -Delimiter ";"
    
    ""| out-file $csv -Append
    "Exact Folder ACL"| out-file $csv -Append
    $collection | out-file $csv -Append
    
    
  • #63142

    Aapeli Hietikko
    Participant

    I've run this only once. I need to test it out a little more and then wrap it to a function

        $RootFolder = "C:\path"
        $identity = "domain\groupname"
    
        #Look root folder ACL
        $FolderCollection = New-Object System.Collections.Generic.List[System.Object]
        $Folder = $RootFolder
        foreach($access in (Get-Acl $Folder).Access) {
                
                $filerights = $access.FileSystemRights.ToString();
                $inheritanceFlg = $access.InheritanceFlags.ToString();
                
                if($inheritanceFlg -eq 'ContainerInherit') {
                    $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
                    } #If
    
                if ($($access.IdentityReference.ToString()) -like "$identity") {
                        $objProp = [ordered]@{
                                folder = $folder
                                group = $access.IdentityReference.ToString()
                                Permission = $filerights
                                inheritance = $access.IsInherited
                                }
                        $CollectionObject = New-Object -TypeName PSObject -Property $ObjProp
                        $FolderCollection.add($CollectionObject)
                        } #If
        } #foreach($access in (Get-Acl $FOLDER).Access)
    
    
    #Go through all sub directories and take only non inherited permissions
        Get-ChildItem -Path $RootFolder -Directory -Recurse | foreach {
    
            $Folder = $_.FullName
            foreach($access in (Get-Acl $Folder).Access) {
                
                if($($access.IsInherited) -eq $false) {
                    $filerights = $access.FileSystemRights.ToString();
                    $inheritanceFlg = $access.InheritanceFlags.ToString();
                    
                    if($inheritanceFlg -eq 'ContainerInherit') {
                        $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
                    
                    } #If
    
                    if ($($access.IdentityReference.ToString()) -like "$identity") {
                        $objProp = [ordered]@{
                                folder = $folder
                                group = $access.IdentityReference.ToString()
                                Permission = $filerights
                                inheritance = $access.IsInherited
                                }
                        $CollectionObject = New-Object -TypeName PSObject -Property $ObjProp
                        $FolderCollection.add($CollectionObject)
                    } #If
                }
            } #foreach($access in (Get-Acl $FOLDER).Access)
    
        } #Get-ChildItem -Path $RootFolder -Directory -Recurse
    
        $FolderCollection
    

You must be logged in to reply to this topic.