Find all access rights on a filer for a specified group

Question

I'm looking for a solution to scan recursively a filer for all directories to find, where a specific group has access rights.

My first try was this:

get-childitem "C:\temp" -directory -recurse | get-acl | Format-List

This works good:

Path   : Microsoft.PowerShell.Core\FileSystem::C:\temp\test
Owner  : STMI\<ACCOUNT>
Group  : STMI\Domänen-Benutzer
Access : VORDEFINIERT\Administratoren Allow  FullControl
         NT-AUTORITÄT\SYSTEM Allow  FullControl
         VORDEFINIERT\Benutzer Allow  ReadAndExecute, Synchronize
         NT-AUTORITÄT\Authentifizierte Benutzer Allow  Modify, Synchronize
         NT-AUTORITÄT\Authentifizierte Benutzer Allow  -536805376
Audit  :
Sddl   : <A LOT OF INFO>

Then I tried:

get-childitem "C:\temp" -directory -recurse | get-acl | select Path, Access | Format-List

The output was interesting

Path   : Microsoft.PowerShell.Core\FileSystem::C:\temp\test
Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule...}

I don't get the group-names, only the objects. There I tried different ideas, to get the "names". So I found that snippet

$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force
$Output = @(
    ForEach ($Folder in $FolderPath){
        $ACL=get-acl -Path $Folder.FullName
        ForEach ($Access in $ACl.Access) {
            [PSCustomObject] @{
                'Folder Name'= $Folder.FullName
                'Group/User' = $Access.IdentityReference
                'Permissions' = $Access.FileSystemRights
                'Inherited' = $Access.IsInherited
            }
        }
    }
)
$Output | Export-Csv -Path "C:\TEMP\DirectoryPermissions.csv"

This works fine for c:\temp - but not a filer. And I want to have a filter on a special "object". Now I could not combine these two approaches. I could not manage to get "IdentityReferece" in my one-line-statement.

What also is not integrated is the filter for one specific group. I don't want all directories. I only want to get directories in my list, where a specific group has access. I thought, I can build up step by step.

The below approach would not work:

Get-ChildItem -Directory -Recurse | Get-NTFSAccess

Get-NTFSACcess is allegedly unknown

Answer 1

If I understand the question properly, you want to filter on a certain group that has access permissions on a FILE. (or did you mean something else with filer ?)
In that case just change your code to something like this:

$beispielFiles = Get-ChildItem -Path 'D:\Test' -Filter '*Beispiel*' -Recurse -File -Force
$output = foreach ($file in $beispielFiles) {
    $acl = $file | Get-Acl
    $acl.Access | Where-Object { $_.IdentityReference -like '*\Authentifizierte Benutzer' } | ForEach-Object {
        [PSCustomObject] @{
            'FileName'    = $file.FullName
            'Group/User'  = $_.IdentityReference
            'Permissions' = $_.FileSystemRights -join ', '
            'Inherited'   = $_.IsInherited
        }
    }
}

$output | Export-Csv -Path 'C:\TEMP\FilePermissions.csv' -NoTypeInformation -UseCulture

^{-NoTypeInformation will leave out the #TYPE headers in the csv file.
-UseCulture makes sure the csv uses the same separator character your local Excel expects.}

Output of the above:

FileName                             Group/User                             Permissions         Inherited
--------                             ----------                             -----------         ---------
D:\Test\beispiel.txt                 NT AUTHORITY\Authentifizierte Benutzer Modify, Synchronize      True
D:\Test\subfolder1\Zumbeispiel.txt   NT AUTHORITY\Authentifizierte Benutzer Modify, Synchronize      True
D:\Test\subfolder2\beispielDatei.txt NT AUTHORITY\Authentifizierte Benutzer Modify, Synchronize      True

BTW. The function Get-NTFSAccess is not part of the standard PowerShell functions, but contained in a module you can download/install from here if you feel you need it.