Author Posts

January 20, 2017 at 3:36 pm

I'm trying to find a way to use PowerShell to scan the file server and show me where every instance of this certain Active Directory group is.

January 20, 2017 at 3:43 pm

something like this?

Get-ADGroup -Identity 'Your Ad-Group' -Properties * | Select-Object -Property Name,CanonicalName,DistinguishedName

January 20, 2017 at 4:26 pm

I think he means where the group is used in the file ACLs. You should be able to google "powershell ad group where used" and find a number of solutions.

January 20, 2017 at 5:11 pm

Yeah, this is unfortunately really hard. You're going to have to use Get-Acl against literally every file and folder on the server, and only keep the ones where your intended group exists. Windows isn't well-designed for this task.

January 27, 2017 at 8:23 pm

Here is a script I created to fetch ACL from one folder. If you turn it to function and the loop list all your folders with get-childitem -recurse -directory and call the newly created function for each folder.

$folder = "c:\temp"



$csv = "$($folder.replace('\','_').replace(':','').replace(' ','')).csv"
$collection = New-Object System.Collections.Generic.List[System.Object]
$PermCollection = New-Object System.Collections.Generic.List[System.Object]

foreach($access in (Get-Acl $FOLDER).Access) {
    $filerights = $access.FileSystemRights.ToString();
    $inheritanceFlg = $access.InheritanceFlags.ToString();
    if($inheritanceFlg -eq 'ContainerInherit') {
        $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
    }
    $output = $access.IdentityReference.ToString() + ';' + $filerights;
    $collection.add($output)
}

$col = $collection | where {$_ -like "MYDOM*" } 
    foreach ($c in $col) { 
        $ADOC = $c.split(";")[0].split("\")[1]
        $ADOACL = $($c.split(";")[1]) -replace ", Synchronize",""
        $ADO = get-adobject  -filter {CN -eq $ADOC}

        if ($ADO.objectClass -eq "user") {
            # write-output "$($ADO.name) $($ado.objectClass) $ADOACL"

            $obj = Get-ADUser $($ADO.name) -prop * |
                   select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={"MappedUser"};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"}
            
            $permCollection.add($obj)
            
            }

        if ($ADO.objectClass -eq "group") {
            # write-output "$($ADO.name) $($ado.objectClass) $ADOACL"

            Get-ADGroupMember -Identity $($ADO.name) -Recursive | 
                            Get-ADUser -prop * |
                                    select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={$($ADO.name)};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"} |
                                        foreach {
                                            $permCollection.add($_)
                                            }
            
            }
        

        } 

$permCollection | export-csv $csv -notypeinformation -encoding "UTF8" -Delimiter ";"

""| out-file $csv -Append
"Exact Folder ACL"| out-file $csv -Append
$collection | out-file $csv -Append

January 31, 2017 at 10:09 pm

I've run this only once. I need to test it out a little more and then wrap it to a function

    $RootFolder = "C:\path"
    $identity = "domain\groupname"

    #Look root folder ACL
    $FolderCollection = New-Object System.Collections.Generic.List[System.Object]
    $Folder = $RootFolder
    foreach($access in (Get-Acl $Folder).Access) {
            
            $filerights = $access.FileSystemRights.ToString();
            $inheritanceFlg = $access.InheritanceFlags.ToString();
            
            if($inheritanceFlg -eq 'ContainerInherit') {
                $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
                } #If

            if ($($access.IdentityReference.ToString()) -like "$identity") {
                    $objProp = [ordered]@{
                            folder = $folder
                            group = $access.IdentityReference.ToString()
                            Permission = $filerights
                            inheritance = $access.IsInherited
                            }
                    $CollectionObject = New-Object -TypeName PSObject -Property $ObjProp
                    $FolderCollection.add($CollectionObject)
                    } #If
    } #foreach($access in (Get-Acl $FOLDER).Access)


#Go through all sub directories and take only non inherited permissions
    Get-ChildItem -Path $RootFolder -Directory -Recurse | foreach {

        $Folder = $_.FullName
        foreach($access in (Get-Acl $Folder).Access) {
            
            if($($access.IsInherited) -eq $false) {
                $filerights = $access.FileSystemRights.ToString();
                $inheritanceFlg = $access.InheritanceFlags.ToString();
                
                if($inheritanceFlg -eq 'ContainerInherit') {
                    $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
                
                } #If

                if ($($access.IdentityReference.ToString()) -like "$identity") {
                    $objProp = [ordered]@{
                            folder = $folder
                            group = $access.IdentityReference.ToString()
                            Permission = $filerights
                            inheritance = $access.IsInherited
                            }
                    $CollectionObject = New-Object -TypeName PSObject -Property $ObjProp
                    $FolderCollection.add($CollectionObject)
                } #If
            }
        } #foreach($access in (Get-Acl $FOLDER).Access)

    } #Get-ChildItem -Path $RootFolder -Directory -Recurse

    $FolderCollection