Powershell newbie Help

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Aapeli Hietikko Aapeli Hietikko 5 days, 23 hours ago.

  • Author
    Posts
  • #70712
    Profile photo of William
    William
    Participant

    Hello,

    I am new to writing powershell scripts and have been tasked with the following, i understand the layout of the parameters ect for flexibility, but the actual writing i just cant get my head around. if anyone could help me with the below and explain your answer that would be alot of help to me.

    i need a powershell script that will check a complete DFS Root,
    and report all targets and access based enumeration for each.
    I then need the scrip to check all NFTS permissions on all the
    targets and list the security groups assigned.
    I then need this script to search 4 domains and report on the users in these groups.

  • #70733
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Happy to try and help, although I can't bang out the whole thing for you. What have you tried? Where are you stuck?

    I will tell you that "check all NTFS permissions on all the targets and list the security groups assigned" is going to be a MASSIVE and time-consuming task. Like, you've no idea how long it's going to take to run through all that unless you've got just one or two targets. PowerShell (indeed, Windows' permissions system) wasn't designed for this. That's where there are $$$ commercial tools to do this. You're basically setting out to write your own commercial tool. It might not be your best first choice for your first PowerShell script :).

  • #70913
    Profile photo of Aapeli Hietikko
    Aapeli Hietikko
    Participant

    So you are asking us to write it for you?

    Here is some kind of a start for you. As Don said going recursively might take heaps of time. I've done some used space calculations against our DFS and it was running for a day or so.

    $folder = "c:\path"
    
    #put your domain prefix here
    $domain = "domain"
    
    $csv = "$($folder.replace('\','_').replace(':','').replace(' ','')).csv"
    $collection = New-Object System.Collections.Generic.List[System.Object]
    $PermCollection = New-Object System.Collections.Generic.List[System.Object]
    
    foreach($access in (Get-Acl $FOLDER).Access) {
        $filerights = $access.FileSystemRights.ToString();
        $inheritanceFlg = $access.InheritanceFlags.ToString();
        if($inheritanceFlg -eq 'ContainerInherit') {
            $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
        }
        $output = $access.IdentityReference.ToString() + ';' + $filerights;
        $collection.add($output)
    }
    
    $col = $collection | where {$_ -like "$domain*"} 
        foreach ($c in $col) { 
            $ADOC = $c.split(";")[0].split("\")[1]
            $ADOACL = $($c.split(";")[1]) -replace ", Synchronize",""
            $ADO = get-adobject  -filter {CN -eq $ADOC}
    
            if ($ADO.objectClass -eq "user") {
    
                $obj = Get-ADUser $($ADO.name) -prop * |
                       select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={"MappedUser"};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"}
                
                $permCollection.add($obj)
                
                }
    
            if ($ADO.objectClass -eq "group") {
    
                Get-ADGroupMember -Identity $($ADO.name) -Recursive | 
                                Get-ADUser -prop * |
                                        select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={$($ADO.name)};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"} |
                                            foreach {
                                                $permCollection.add($_)
                                                }
                
                }
            
    
            } 
    
    $permCollection | export-csv $csv -notypeinformation -encoding "UTF8" -Delimiter ";"
    
    ""| out-file $csv -Append
    "Exact Folder ACL"| out-file $csv -Append
    $collection | out-file $csv -Append
    
    

You must be logged in to reply to this topic.