Author Posts

November 8, 2016 at 4:18 pm

So i've been playing around with this script to audit file server folder ACL's, and it works great, just returning too much data. What i was hoping i could do is filter out the folders where there are no special permissions than the parent folder, I think this would help me reduce the amount of entries into my table and allow me to manipulate it into something more readable.. Basically just return ACL info on parent Folder and any special permissions on child objects not inherited by parent.

$connectionString = "Server=;"
$tableName = "FilePermissions"

function WriteSQL ($query)
{
if ($debug -eq $true) {Write-Host $query}
$Connection = New-Object System.Data.SqlClient.SqlConnection
$Connection.ConnectionString = $connectionString
$Connection.Open()
$Command = New-Object System.Data.SqlClient.SqlCommand
$command.Connection = $Connection
$command.CommandText = $query
$command.ExecuteNonQuery()
$connection.Close()
}

$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem
ForEach ($DriveLetter in $colDrives) {
$StartPath = "E:\Share\"
Get-ChildItem -LiteralPath $StartPath -Recurse -Directory |
ForEach {
$FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
(Get-Item -LiteralPath $FullPath).GetAccessControl() |
Select * -Expand Access |
Select @{N='ServerName';E={$strComputer}},
@{N='FullPath';E={$FullPath}},
@{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
@{N='Owner';E={$_.Owner}},
@{N='Trustee';E={$_.IdentityReference}},
@{N='Inherited';E={$_.IsInherited}},
@{N='InheritanceFlags';E={$_.InheritanceFlags}},
@{N='AceFlag';E={$_.PropagationFlags}},
@{N='AceType';E={$_.AccessControlType}},
@{N='AccessMasks';E={$_.FileSystemRights}} } |

%{
$query = "INSERT INTO $tableName (servername,fullpath,type,owner,trustee,inherited,inheritanceflags,aceflag,acetype,accessmasks) VALUES ('$($_.servername)','$($_.fullpath)','$($_.type)','$($_.owner)','$($_.trustee)','$($_.inherited)','$($_.inheritanceflags)','$($_.aceflag)','$($_.acetype)','$($_.accessmasks)')"
WriteSQL $query
}

}

November 9, 2016 at 6:24 am

First, if you want to get acls of just some items under E:\Share, why you bother with drive letters?
Second, when you Get-ChildItems you already get item object and it's FullName. do not need 2nd time call Get-Item
and thus, except sql, we get

Get-ChildItem E:\Share -Recurse | Foreach-Object {
  $i = $_;
  $a = $i.GetAccessControl()
  $a.Access |
    Where-Object { -Not $_.IsInherited } |
      Add-Member -PassThru -MemberType Noteproperty -Name FullName -Value $i.FullName |
      Add-Member -PassThru -MemberType Noteproperty -Name Container -Value $i.PSIsContainer |
      Add-Member -PassThru -MemberType Noteproperty -Name Owner -Value $a.Owner
}

November 9, 2016 at 1:57 pm

the drive letter is irrelevant, just a place holder at this point. Its not that i only want some, its predicated on what the ACLs return, i just want to get the parent folders and only the acls on the child folders if they differ from parent

November 9, 2016 at 1:59 pm

so you're saying get rid of the literal path/full path ?

November 9, 2016 at 2:41 pm

where would i insert/replace the code you given me?

November 9, 2016 at 2:46 pm

I'd like to still keep the

Select @{N='ServerName';E={$strComputer}},
@{N='FullPath';E={$FullPath}},
@{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
@{N='Owner';E={$_.Owner}},
@{N='Trustee';E={$_.IdentityReference}},
@{N='Inherited';E={$_.IsInherited}},
@{N='InheritanceFlags';E={$_.InheritanceFlags}},
@{N='AceFlag';E={$_.PropagationFlags}},
@{N='AceType';E={$_.AccessControlType}},
@{N='AccessMasks';E={$_.FileSystemRights}} }

if possible so it matches my sql table