by TomKemp at 2012-12-10 08:25:54
I am sure this is something very simple but I just cannot work out how to do it.by kittH at 2012-12-10 10:06:46
I am running a script which finds the list of Groups which grant access to specific folders.
Some of the ACL entries relate to Groups and some to rights being granted specifically to a User.
I need to identify if the output is a Group or a User.
So something like:
If ($ObjectFound = ‘User’) then
{Do appropriate action for a User}
else
{Do appropriate action for a Group}
I know that is not the correct syntax, it is just a sort of pseudocode for what I need to do.
Can anyone help please? This is driving me nuts. Either I get a valid answer but this then means all subsequent tests also give a True result when they should not, or it doesn’t separate the two types at all.
I am using the ActiveDirectory module but I have the QAD module if required.
What command are you using to generate the list of objects? The parameter is going to depend on exactly what information is being returned.by TomKemp at 2012-12-11 01:22:53
For example, if you were using Get-QADObject to generate a list, you would use the "Type" property.
If ($Object.Type -eq ‘User’){do-thing}
ElseIf ($Object.Type -eq ‘Group’){do-otherthing}
The part of the script I am using is this:by kittH at 2012-12-11 10:11:47
$CurrentRightsTable=(get-acl $DirPath).GetAccessRules($true,$true,[System.Security.Principal.NTAccount])
FOREACH ($RightsAssignment in $CurrentRightsTable)
{
$LongGroupName=$Rightsassignment.IdentityReference
$UserRights=$Rightsassignment.FileSystemRights
$UserAccessControllType=$Rightsassignment.AccessControlType
$UserAccessControlInheritance=$Rightsassignment.IsInherited
$UserAccessControlInheritanceFlag=$Rightsassignment.InheritanceFlags
$UserAccessControlPropogateFlag=$Rightsassignment.PropagationFlags
$Groupname="$LongGroupname".replace("WCC-CORP","")
}
Once I have this I want to test whether $Groupname is actually a group or a user - so I can either lookup the members of the group or report the user details directly if there are rights assigned directly to a user.
I have tried this:
if($Groupname.type -eq ‘User’){Write-Host "User"}
elseif($Groupname.type -eq ‘Group’){Write-Host "Group"}
This does not seem to work. I know that some of the results are groups and some are users. However, neither of these tests results in any output, so I assume both are testing as ‘false’.
It looks like you’re just getting a string back that is the name of a group or user, you are not returning them as objects that have other properties.by RichardSiddaway at 2012-12-11 13:45:15
You will need to perform another step to turn the name you have into an AD object.
I would do something more like:$dirpath = "C:\users\kholland\desktop\ARC-1160"
$CurrentRightsTable=(get-acl $DirPath).GetAccessRules($true,$true,[System.Security.Principal.NTAccount])
FOREACH ($RightsAssignment in $CurrentRightsTable)
{
$LongGroupName=$Rightsassignment.IdentityReference
$UserRights=$Rightsassignment.FileSystemRights
$UserAccessControllType=$Rightsassignment.AccessControlType
$UserAccessControlInheritance=$Rightsassignment.IsInherited
$UserAccessControlInheritanceFlag=$Rightsassignment.InheritanceFlags
$UserAccessControlPropogateFlag=$Rightsassignment.PropagationFlags
$ADobject = Get-QADObject ($LongGroupName | select -ExpandProperty value)
$Groupname = $ADObject.Name
$ObjectType= $ADObject.Type
}
you can then do any processing you need based on $ObjectType variable.
You need to filter out any local groups or users before passing to Get-QADObject otherwise you are going to get a lot of errors