List folder access, AD groups and AD members

Welcome Forums General PowerShell Q&A List folder access, AD groups and AD members

This topic contains 4 replies, has 2 voices, and was last updated by

 
Participant
3 months, 3 weeks ago.

  • Author
    Posts
  • #103234

    Participant
    Points: 0
    Rank: Member

    Hello,

    I am looking for a script that does what Accesschk does in listing folders on a file server and lists those active directory groups which are assigned to each folder. I would also like to include the members of those groups. I have found a variety of potential scripts but can't find a concise script that provides what I need. Can anyone help?

    I see the following but I don't need the the pspath or pasparentpath
    Get-ChildItem \\server\uncpathgoeshere -recurse | ForEach-Object {Get-Acl $_.FullName} | select pspath, psparentpath, pschildname, path, owner, group | Export-CSV C:\folder_perms.csv

    I modified it to the following it's not quite write and I don't know how to fix it.
    Looking for : Folder path\AD Privilege group assigned to that folder\list of members of the respective AD privilege group

    Get-ChildItem \\server\uncpath -recurse | ForEach-Object {Get-Acl $_.FullName} | select pspath, path, Get-aduser –filter * -properties DisplayName, Memberof | DisplayName, @{name=”MemberOf”;expression={$_.memberof -join “;”}} | Export-CSV C:\folder_perms.csv

    Thanks,
    Roger

  • #103262

    Participant
    Points: 15
    Rank: Member

    As for...

    I see the following but I don't need the the pspath or pasparentpath

    … then remove them from the select.

    Get-ChildItem C:\Deployment -recurse | 
    ForEach-Object {Get-Acl $_.FullName} | 
    select pschildname, path, owner, group -First 3 | ft -AutoSize 
    
    
    # Results
    PSChildName    Path                           Owner                 Group                 
    -----------    ----                           -----                 -----                 
    EventLog...    Microsoft.PowerShell.Core\... BUILTIN\Administrators CONTOSO\Domain Users
    CAConfig       Microsoft.PowerShell.Core\... BUILTIN\Administrators CONTOSO\Domain Users
    CRL_Info       Microsoft.PowerShell.Core\... BUILTIN\Administrators CONTOSO\Domain Users
    

    This …

    | select pspath, path, Get-aduser –filter * -properties DisplayName, Memberof

    … is wrong, because you cannot use a cmdlet 'Get-ADUser in this case' as a property. so this would never work.

    This...

    | DisplayName, @{name=”MemberOf”;expression={$_.memberof -join “;”}} | Export-CSV C:\folder_perms.csv

    … is not correct syntax.

    It should be this.

    | Select-Object -Property DisplayName, @{name=”MemberOf”;expression={$_.memberof -join “;”}}
    

    So, to get to where you want to be, create one liners for each step to make sure you are getting what you'd expect, then refactor as one script.

    You are going to have to work though loops to get all of what you are after.
    Put all your folder into a collection.
    Loop to get each permission of the individual group.
    Loop again to get all users of that group.

    A rough example:

    ($FolderList = Get-ChildItem C:\Deployment -recurse | Select-Object -First 1) | Format-Table -AutoSize
    # Results
    
        Directory: C:\Deployment
    
    
    Mode         LastWriteTime Length Name                      
    ----         ------------- ------ ----                      
    d----  4/15/2018  11:53 PM        EventLog_Captures
    
    
    $FolderList | ForEach-Object {Get-Acl $_.FullName}
    
    # Results
    
        Directory: C:\Deployment
    Path              Owner                  Access
    ----               -----                  ------
    EventLog_Captures BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...
    
    ($FolderOwners = ($FolderList | ForEach-Object {Get-Acl $_.FullName}).Owner)
    
    # Results
    
    BUILTIN\Administrators
    
    ($FolderOwners | %{Get-ADGroupMember -Identity ($_.split('\')[1]) | Select-Object -Property SamAccountName})
    
    # Results
    
    SamAccountName 
    --------------
    Domain Admins
    Enterprise Admins
    Administrator
    

    Then refactor into something more elegant.

  • #103477

    Participant
    Points: 0
    Rank: Member

    Hello,

    Thank you for your response.

    Sorry but I am having a little difficulty in following your example.

    The following piece works OK
    Get-ChildItem \\server\UNCpath -recurse | ForEach-Object {Get-Acl $_.FullName} | select pschildname, path, owner, group –First 10

    I then just want to list the ADGroup and the ADGroupMembers with access to each directory, not each file.

    It looks like you are saying I could add ($FolderOwners | %{Get-ADGroupMember -Identity ($_.split('\')[1]) | Select-Object -Property SamAccountName}) but this isn't working if I do the following:

    Get-ChildItem \\server\UNCpath -recurse | ForEach-Object {Get-Acl $_.FullName} | select pschildname, path, owner, group –First 10 | ($FolderOwners | %{Get-ADGroupMember -Identity ($_.split('\')[1]) | Select-Object -Property SamAccountName})| Export-CSV C:\TestFolder_perms.csv

    What am I missing?

    Thanks,
    Roger

  • #103496

    Participant
    Points: 15
    Rank: Member

    As for …

    I then just want to list the ADGroup and the ADGroupMembers with access to each directory, not each file.

    .. by default of course, Get-ChildItem will get everything. If you just want the folders, then you have to specific that in the first Get-ChildItem request.

    Get-ChildItem -Path D:\Temp -Directory -Recurse
    

    You just cannot pass collection down the pipeline in this fashion, and expect PS to figure it out. YOu have to tell it what to do with the collection / object. If you have a collection, you have to iterate / loop them all items in that collection to get specific data from each item in the collection.

    Roughly, I mean, something like this, hashtable example

    (Get-ChildItem -Path 'C:\Deployment' -Directory -recurse | Select-Object -First 2) | 
    %{
        # Process each folder for target information
        $Values = [ordered]@{
        'FolderName' = $_.FullName
        'FolderOwner' = (Get-Acl $_.FullName).Owner
    
        # Get the members of the FolderOwner
        'Users ' = (Get-ADGroupMember -Identity (((Get-Acl $_.FullName).Owner).split('\')[1])). SamAccountName
        }
        "`n"
        # Send values to the screen
        $Values
    } 
    
    # Results
    
    Name         Value
    ----         -----
    FolderName   C:\Deployment\EventLog_Captures
    FolderOwner  BUILTIN\Administrators
    Users        {Domain Admins, Enterprise Admins, Administrator}
    
    Name         Value
    ----         -----
    FolderName   C:\Deployment\Config
    FolderOwner  BUILTIN\Administrators
    Users        {Domain Admins, Enterprise Admins, Administrator}
    

    Now, because of how I have the above, to get this into a CSV (table-like) layout, if that is your end goal, that requires going at this a differently, than what I show here. Yet, you'll still going to need the ForLoop effort.

  • #103597

    Participant
    Points: 0
    Rank: Member

    Hello,

    I tried the following using your example but this failed with the error below:

    (Get-ChildItem -Path 'D:\DirectoryName' -Directory -recurse | Select-Object -First 2) |
    %{
    # Process each folder for target information
    $Values = [ordered]@{
    'FolderName' = $_.FullName
    'FolderOwner' = (Get-Acl $_.FullName).Owner

    # Get the members of the FolderOwner
    'Users ' = (Get-ADGroupMember -Identity (((Get-Acl $_.FullName).Owner).split('\')[1])).SamAccountName
    }
    "`n"
    # Send values to the screen
    $Values
    }

    ****************
    Get-ADGroupMember : Cannot find an object with identity: 'AdminNameadmin' under: 'DC=domain,DC=local'.
    At line:9 char:17
    + 'Users ' = (Get-ADGroupMember -Identity (((Get-Acl $_.FullName).Owner).split ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (AdminNameadmin:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetAD
    GroupMember

    Get-ADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
    command again.
    At line:9 char:45
    + 'Users ' = (Get-ADGroupMember -Identity (((Get-Acl $_.FullName).Owner).split ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Get-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    I'm not sure what I am doing wrong. As with the first part of your example the following works ok but the rest does not. Other than replacing the name for the directory name, should I be changing any other values before running?

    (Get-ChildItem -Path 'D:\directoryName' -Directory -recurse | Select-Object -First 2)

    Thanks,
    Roger

The topic ‘List folder access, AD groups and AD members’ is closed to new replies.