0

In PowerShell when using Get-Acl how can I show all members belonging to a group instead of the group itself?

So: 

Get-ChildItem C:\ | where-object {($_.PsIsContainer)} | Get-Acl | select path -ExpandProperty Access

Shows something like this:

Path              : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Path              : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Instead I want it to list all users belonging to Administrators/Users with their permission for each folder and discard the group.

Also how can I add Convert-Path to the select path statement so that path displayed is only C:\Test?

Thanks!

Blackfury
  • 1
  • 1
  • 4
  • For the first question, check: [How to get effective permissions with PowerShell for an attribute on the AD user object](https://stackoverflow.com/q/27069043/1701026). For the second question, use something like: `.Split('::')[-1]` (possibly together with a [`Select-Object`](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/select-object?view=powershell-6) expression like: `@{Name="FilePath"; Expression = {$_.Path.Split('::')[-1]}}`). If this doesn't help you further, I recommend you to separate the questions and detail what you have tried yourself for a possible answer – iRon Sep 03 '18 at 14:40
  • Hi iRon Appreciate your answer and sorry for the very late reply. I wasn't able to solve it using the module, but found a different way described below. Thanks again. – Blackfury Sep 11 '18 at 08:12

1 Answers1

0

I wasn't able to solve it with linked post and/or the PowerShell Access Control module, still only got groups. So in the end I was able to get the info I wanted with a combination of different other helpful posts like:

PowerShell script to return members of multiple security groups
List user details from Username

Expanding on my original question and including the final result I wanted, this is how I did it. It's not beautiful (even repeats small portion of code) and big parts could probably be put in one line, but for my own readability alone it kinda makes sense this way. Also I omitted the discard of group, since I found the information useful.

$queryPath = "C:\Test"
$targetFile = "C:\Test.csv"

$Table = @()

$Record = [ordered]@{
    "Path" = ""
    "IdentityReference" = ""
    "Class" = ""
    "GrpMember" = ""
}

$foldersToQuery = Get-ChildItem $queryPath | Where {$_.PSIsContainer} | select -expandproperty FullName

foreach ($folder in $foldersToQuery) {
    $Record.Path = $folder
    $permissions = Get-Acl $folder | select -expandproperty Access

    foreach ($permission in $permissions) {
        [string]$id = $permission.IdentityReference
        $SamAccountName = $id.Split('\')[1]
        $ADObject = Get-ADObject -Filter ('SamAccountName -eq "{0}"' -f $SamAccountName) }
        $Record.IdentityReference = $permission.IdentityReference.ToString()

        switch ($ADObject.ObjectClass) {
            'user' {
                $Record.Class = $ADObject.ObjectClass
                $Record.GrpMember = ""
                $objRecord = New-Object PSObject -property $Record
                $Table += $objrecord
            }
            'group' {
                $Record.Class = $ADObject.ObjectClass
                $members = Get-ADGroupMember $SamAccountName }

                foreach ($member in $members) {
                    $Record.GrpMember = $member.name
                    $objRecord = New-Object PSObject -property $Record
                    $Table += $objrecord
                }
            }
        }
    }
}
$Table | export-csv $targetFile -NoTypeInformation -Encoding UTF8

Returning a table like this when formatted

Blackfury
  • 1
  • 1
  • 4