Reputation: 422
Filter Get-ACL Output - List only Folders with specific Users like *xyz*
i wrote 2 functions (not directly from me), which create me a file with Folder ACL´s. The First function creates a folder List with a max. depth parameter The Second function creates an Output file with the ACL for every folder based on the output of the first function
Code or Syntax enhancements / bugrixe are welcome. Sorry for my bad english!
Output Example:
Path : D:\pub\
AccessToString :
NT-AUTORITÄT\Authentifizierte Benutzer Allow ReadAndExecute, Synchronize
Domain\Group_Sales_RW Allow Modify, Synchronize
Domain\User4711 Allow Modify, Synchronize
NT-AUTORITÄT\SYSTEM Allow FullControl
VORDEFINIERT\Administratoren Allow FullControl
Domain\Administrator Allow FullControl
The 2 functions:
function ListSubDir {
<#
.Synopsis
Lists Subfolders
.Description
Lists Subfolders
.Example
ListSubDir -Searchpath "D:" -Depth "2"
#>
param ( $Searchpath=$env:USERPROFILE,
$Depth=2 )
if ($Depth -gt 0) {
GCI $Searchpath -ea SilentlyContinue |Where-Object {$_.psiscontainer} | % { ListSubDir -Searchpath $_.fullname -Depth ($Depth-1)
return $_ }
}
}
function Get-DirectoryRights {
<#
.Synopsis
.Description
Exports Direcory ACLs to a .txt File
.Example
Foreach ($Path in (GCI "D:\Users" -recurse -ea SilentlyContinue | where {$_.psiscontainer})) {get-directoryrights -Searchpath $Path.fullname -output "d:\ACL-Log.txt"}
.Example
#>
param ( $Searchpath="$ENV:Userprofile",
$Output="$Env:Temp\AusgabeACL.txt",
$XMLTemp="$env:temp\acldata.xml")
$Folder= $Searchpath | Get-ACL -ea SilentlyContinue
$Folder| Select @{Name=”Path”;Expression={$_.PSPath.Substring($_.PSPath.IndexOf(“:”)+2) }},Owner,Access,AccessToString,@{Name=”Reported”;Expression={(Get-Date).ToShortDateString()}}, @{Name=”Computername”;Expression={$env:computername}} | Export-Clixml $XMLTemp
$acl = Import-Clixml $XMLTemp
$acl | where {$_.access } | format-list path,AccessToString | out-file $Output -append
}
The Current function call:
$Folderlist= ListSubDir -Searchpath d:\pub -Depth 2
Get-directoryrights -Searchpath $Folderlist.fullname -Output D:\ausgabe.txt
To simplify the Fileserver Administration we want to eliminate all User-specific ACls and replace them through with Group-ACLs. The current Output looks fine, but it is possible, to list only the folders where a specific User/ or OU Member exists?
For Example: With a third function, i want to list the Usernames, which begin with the character "w01" (W01 stands for site01 -> our headquarter) and pipe them to the other functions to get only the folders that have given rights to the users like:
Path : D:\pub\
AccessToString :
Domain\W01Username Allow Modify, Synchronize
The third function:
function GetADUser {
<#
.Description
List AD User Details
.Example
getaduser -SearchString "w01*"
#>
param ( $Searchbase = "OU=_Benutzer,DC=Vogler-GMBH,DC=com",
$SearchString = "*"
)
get-aduser -Filter 'SamAccountName -like $Searchstring -or Givenname -like $Searchstring' -SearchBase $Searchbase | select *
}
Upvotes: 0
Views: 9913
Answers (1)
Reputation: 36332
In general you should avoid having a function output to a file. Have it output an object, and then you can format and output that object to a file if you'd like. This situation is a perfect example of that. Altering your script a little and having it output to objects. I also added just a little bit to filter for a user as well. Check this out:
function Get-DirectoryRights {
<#
.Synopsis
.Description
Exports Direcory ACLs (optionally filters for a user name)
.Example
Foreach ($Path in (GCI "D:\Users" -recurse -ea SilentlyContinue | where {$_.psiscontainer})) {get-directoryrights -Searchpath $Path.fullname -UserFilter "JDoe"}
.Example
#>
param ( $Searchpath="$ENV:Userprofile",
$UserFilter )
if($UserFilter){
$Searchpath | Get-ACL -ea SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match $UserFilter} | Select @{Name=”Path”;Expression={$_.PSPath.Substring($_.PSPath.IndexOf(“:”)+2) }},Owner,Access,AccessToString,@{Name=”Reported”;Expression={(Get-Date).ToShortDateString()}}, @{Name=”Computername”;Expression={$env:computername}}
}else{
$Searchpath | Get-ACL -ea SilentlyContinue | Where {$_.Access} | Select @{Name=”Path”;Expression={$_.PSPath.Substring($_.PSPath.IndexOf(“:”)+2) }},Owner,Access,AccessToString,@{Name=”Reported”;Expression={(Get-Date).ToShortDateString()}}, @{Name=”Computername”;Expression={$env:computername}}
}
}
Then you would just run it very much like you were, but you would format and output it outside the function.
$Folderlist= ListSubDir -Searchpath d:\pub -Depth 2
Get-directoryrights -Searchpath $Folderlist.fullname |FL Path,AccessToString | Out-File D:\ausgabe.txt
If you want to filter for domain users that start with W01 you would do something like:
Get-DirectoryRights -Searchpath $Folderlist.fullname -UserFilter "YourDomainName\W01" |FL Path,AccessToString | Out-File D:\ausgabe.txt
Upvotes: 2
Related Questions
- Exclude specific users when listing Windows folder permissions in PowerShell
- Get ACL Folder & Subfolder + Users Using Powershell
- Set-ACL with folder exclude
- Powershell using get-acl to return only user/groupnames?
- List all folders, where users (except admin) have allow full access
- Powershell : Get-ACL and get permissions for specific user on a remote folder
- powershell ACLs Apply to this folder only
- Get ACL subfolders using array
- PowerShell Get ACL For Folders In A Text File
- Getting name of folder which has specific ACL