Get NTFS Effective Permission on Folder

Question

I am looking into recreating the same results as the the Get-NTFSEffectiveAccess cmdlet provided in the NTFSSecurity module. Unfortunately, I need to re-invent the wheel using just PowerShell (as it's the only thing I know).

For the most part, I feel like I'm on the right track with my code:

$Path = "\\MyFile\Share\Path"
$User = 'Abe'


$ADUC = @(Get-ADUser -Identity $User -Properties DisplayName)
$ACL  = Get-Acl -Path $Path

$Groups = $ACL.Access.IdentityReference.Where{$_ -notmatch "BUILTIN"} -replace "AREA52\\",""
    foreach ($Group in $Groups) {
        if ($ADUC.DistinguishedName -in $((Get-ADGroup -Identity $Group -Properties members).members)) {
            [array]$ACL.Access.Where{ $_.IdentityReference -match $Group } | 
                Select-Object -Property @{
                    Name = 'DisplayName';
                    Expression = {
                        $ADUC.DisplayName
                    }
                },@{
                    Name = 'GroupName';
                    Expression = {
                        $Group
                    }
                }, FileSystemRights, AccessControlType
        }
        else {
            #$ADUC.DisplayName + " not in " + $Group
        }
    }

. . .but, I am stuck. Stuck in regards to the logic should be. So i'm trying to do the following:

Compare the Groups that the user is in, to one another, to determine what actual rights they have.
- The biggest issue, is probably this. We manage folder permissions by groups, and do not add the users directly to the folder witch specific rights.
I am also trying to list if the the groups (users) permission is applies to the current folder, or to the sub-directories as well
- Just like the output of Get-NTFSEffectiveAccess.

Example:

Account            Access Rights Applies to                   Type  IsInherited  Group
-------            ------------- ----------                   ----  -----------  -----
Abraham            Read          ThisFolderSubfoldersAndFiles Allow False        Grp1
Jrose              Read          ThisFolderSubfoldersAndFiles Allow False        Grp1

QUESTION: Is there a certain way I could compare the groups the user is in to one another, and get the Dominant access to that folder; like in windows Effective Permissions function?

Reasons on why I'd like to re-invent the wheel:

Environment I work in is very strict on modules that are installed on computers and unfortunately, the NTFSSecurity module, is not allowed.
Why not? Trying to become more edumecated:)

Been googling and looking at articles all day with one question on Experts Exchange that had a similar question, but. . . i'm not going to pay for that. haha

Would like to mention that this isn't a task, but a problem as I just can't understand the proper logic to go by here to get this done. Mentioned my both goals, but only asked for assistance with one problem as it may come off as unfair.

I think this might work for you https://github.com/santysq/Get-EffectiveAccess you could tweak it a bit if it's similar to what you're looking for. — Santiago Squarzon, Nov 26 '21 at 21:42
@SantiagoSquarzon, very cool! Let me look into it, been at it all day. — Abraham Zinala, Nov 26 '21 at 21:46
Ok, no, that one is specific for any type of AD Object. Not sure if it's gonna work on File Shares. Might need some modifications. — Santiago Squarzon, Nov 26 '21 at 21:48
Yeah, I saw that. Still seeing what I may be able to salvage from it. At least to get some ideas ya know. — Abraham Zinala, Nov 26 '21 at 21:48

Get NTFS Effective Permission on Folder

0 Answers0