Use a like compare within a -in/-contains comparison

Welcome Forums General PowerShell Q&A Use a like compare within a -in/-contains comparison

Viewing 2 reply threads
  • Author
    Posts
    • #199784
      Participant
      Topics: 1
      Replies: 14
      Points: 23
      Rank: Member

      I’m workoing on a script for some fileshare auditing. Initially, I was only concerned with who was able to modify and satisfied my needs. As I’m wrapping up my work with this script I wanted to make it more generic so that it could be reused in the future for say a read permission audit. Which is where this question comes from.

       

      In my original code I had written the below line. $path is a unc path. Permission1 was originally hard coded to modify and permission2 was hard coded to fullcontrol. Swapping these for the following variables works no problem (as long as I defined them ahead of time which I have)

      
      $identities = get-acl -Path $path | foreach {$_.access} | select filesystemrights, identityreference | where {$_.filesystemrights -like “*$permission1*” -or $_.filesystemrights -like “*$permission2*”} | select -expand identityreference
      
      

      But if I open the door to auditing read, then I need to search for fullcontrol, modify, and also read. So I thought instead of adding a 3rd comparison, and then potentially needing this line multiple times… what if I created a list of possible values and then compared against that.

      So here comes a new variable called $permissions which could be set as so. $permissions = ‘modify’,’fullcontrol’ and my new line should look something like this.

      
      get-acl -Path $path | foreach {$_.access} | select filesystemrights, identityreference | where {$_.filesystemrights -in $permissions} | select -expand identityreference
      
      

      It half works. It still returns the 2 identities which match fullcontrol exactly. But it won’t return the identities that have rights of “DeleteSubdirectoriesAndFiles, Modify, Synchronize” or some combination where modify is burried in there. Is there a way to do this? Or should I just have 3 separate commands that are each written to accept 1,2, or 3 values to -or

       

      Thanks

      • This topic was modified 2 months ago by Devilsbane. Reason: [/pre]
    • #199877
      Participant
      Topics: 4
      Replies: 70
      Points: 192
      Helping Hand
      Rank: Participant

      You could use -match with regular expression.

      $permissions = '(.+modify)|(.+fullcontrol)'
      "DeleteSubdirectoriesAndFiles, Modify, Synchronize" -match $permissions
    • #199895
      Participant
      Topics: 1
      Replies: 14
      Points: 23
      Rank: Member

      You could use -match with regular expression.

      <textarea class=”ace_text-input” style=”opacity: 0; height: 18px; width: 6.59781px; left: 44px; top: 0px;” spellcheck=”false” wrap=”off”></textarea>

      1
      2
      $permissions = ‘(.+modify)|(.+fullcontrol)’
      “DeleteSubdirectoriesAndFiles, Modify, Synchronize” -match $permissions
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      That’s a great idea, I didn’t think of that.

      A quick update:

      I just had to make one small adjustment. I switched the + to * because the value has the potential to start out the string. Your code was only returning 3 of the 6 values it should have been. 2 of the 3 missing were only fullcontrol and the 3rd started with modify. So the wild card is needed over the +. Otherwise it works great. Thanks again

       

      Here’s the return of my particular share:
      FullControl
      ReadAndExecute,Synchronize
      DeleteSubdirectoriesAndFiles,Modify,Synchronize
      Modify,Synchronize
      FullControl
      DeleteSubdirectoriesAndFiles,Modify,Synchronize
      ReadAndExecute,Synchronize
      DeleteSubdirectoriesAndFiles,Modify,Synchronize

      And the code if anyone was interested. I stripped out my path and domain so you’d either need to update my default values or pass them in when you call the script. Nothing fancy, but it works. On my particular share it bombs out for read because EVERYONE has read access and it exceeds the size limit that ADGroupmember will get. If this ever becomes a big deal I’ll switch back to dsget.

      
      [CmdletBinding()]
      param(
      $path = “\\Server\Share”,
      
      [ValidateSet(“Read”, “Write”, “FullControl”)]
      $permission=”Write”,
      
      $domain = ‘DomainName\’
      )
      
      if ($permission -eq ‘Write’) {$permissions = ‘(.*modify)|(.*fullcontrol)’}
      elseif ($permission -eq ‘fullcontrol’){$permissions = ‘.*fullcontrol’}
      elseif ($permission -eq ‘read’){$permissions = ‘(.*read|.*modify)|(.*fullcontrol)’}
      
      $identities = get-acl -Path $path | foreach {$_.access} | select filesystemrights, identityreference | where {$_.filesystemrights -match $permissions} | select -expand identityreference
      $identities = $identities | select -ExpandProperty value
      
      $groups = @()
      $users = @()
      $others = @()
      
      foreach ($identity in $identities)
      {
      $identity = $identity.replace($domain,”)
      $type = Get-ADObject -Filter “SamAccountName -eq ‘$identity'” | select -expand objectclass
      if ($type -eq “group”)
      {
      $groups += Get-ADGroupMember -Identity $identity -Recursive | select Name,@{n=”Username”;e={$_.samaccountname}},@{n=”GrantedFrom”;e={$identity}}
      }
      elseif ($type -eq “user”)
      {
      $users += get-aduser -Identity $identity | select Name,@{n=”Username”;e={$_.samaccountname}},@{n=”GrantedFrom”;e={“Direct Access”}}
      }
      else
      {
      $others += “$identity could not be found in ActiveDirectory”
      }
      }
      
      $groups | select @{N=”Name”;E={$_.GrantedFrom}},@{N=”Username”;E={$_.GrantedFrom}},GrantedFrom -Unique
      $users
      $others
      
      
      • This reply was modified 2 months ago by Devilsbane. Reason: Added code
Viewing 2 reply threads
  • You must be logged in to reply to this topic.