error handling during get-acl access denied

Hi Guys,

I am trying to query for a list of users/groups having access to some shared location. However in some folders even administrator doesnt have permission, So the script I have come up with will skip those files/folders, but I am not sure why its not logging in to error.log. Any idea ?

$success = @()
$failed = @()

gci $vStartingPath -recurse|

foreach-object {

$success = @()
$failed = @()
foreach-object {

if (get-acl $.fullname){
$success += get-acl $
.fullname |select pschildname, pspath, accesstostring
else {$failed += “Failed to get ACL on $($_.fullname)”}

$success | export-csv “C:\WINDOWS\system32\WindowsPowerShell\v1.0\vHope.csv”
$failed | out-file error.log

Look through “The Big Book of PowerShell Error Handling” (Resources menu, eBooks item) here for information on how to handle errors in script.

# Export ACLs to csv and errors to txt file
Get-ChildItem $vStartingPath -Recurse -ErrorAction SilentlyContinue -ErrorVariable +failederrors | ForEach-Object {Get-acl -Path $_.FullName | 
Select-Object pschildname,pspath,accesstostring} | Export-Csv .\ACL.csv -NoTypeInformation
$failederrors.exception | out-file .\failederrors.txt

If you want to take a different approach, you might try to get version 4.0 of the PowerShell Access Control Module (source available here).

One of the features it offers is enabling the SeBackupPrivilege, which will let you completely ignore the DACLs on the files and folders that are giving you trouble (of course you have to have been granted that privilege, which is usually only for admins and/or backup operators). An example of using it to export all of the ACEs for your $vStartingPath location would look like this:

gci $vStartingPath -Recurse | 
    Get-PacAccessControlEntry -PacSDOption (New-PacSDOption -BypassAclCheck) | 
    Export-Csv c:\powershell\permissions.csv -NoTypeInformation