Ok , I have pieced together the following script but I am not getting any output
the goal of this script is to take input (username, and base folder path), then check all folders in the directory path - recursively looking for folders that the user has access to
I want to then output the listing of folders and access to the screen (eventually we will redirect this to a file, but I need to see it working on the screen first)
I also need to expand this script to also look for any groups that the user may be a member of…
any help would be greatly appreciated ( I will admit some of this code comes from the internet)
This script will pull back the folders that a specific user has access to
Written by
Initial coding - 2014-09
#Get base folder path
$basefolder = read-host “Enter Directory Tree Starting Point (script is recursive)” #Get username
$usertocheck = read-host “Enter The Username To Check For Access (Do Not Include Domain Name)”
Are you only looking for folders that the user has been directly granted access to, or are you interested in permissions granted via group memberships as well? Your code currently looks more like the former, looking only for access entries applied directly to the user.
However, your main problems are that right now you’ve commented out your foreach ($acl in $acls) line (which is the only place the $acl variable is set), and you’re also comparing the raw user input ($usertocheck) to IdentityReference.Value properties, which may not be very reliable. You’d be better off doing some form of validation on the user input (ideally, translating it to a SID, which would guarantee that the user has entered a valid input), and then making sure that the IdentityReference you’re comparing it to is also translated to a SID. For example, something along these lines might be closer to what you’re trying to accomplish:
$basefolder = read-host "Enter Directory Tree Starting Point (script is recursive)"
$usertocheck = read-host "Enter The Username To Check For Access"
$ntaccount = [System.Security.Principal.NTAccount]$usertocheck
try
{
$sid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
}
catch
{
throw "Could not resolve $usertocheck to a SID: $($_.Exception.Message)"
}
$folders = get-childitem $basefolder -recurse -directory |foreach-object {$_.fullname}
$acls = get-acl -path $folders
$i = 0
foreach ($acl in $acls)
{
$folder = (convert-path $acl.pspath)
Write-Progress -Activity "Getting Security" -Status "checking $folder" -PercentComplete ($i/ $folders.count*100)
foreach($access in $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier]))
{
if ($access.IdentityReference.Value -eq $sid.Value)
{
[pscustomobject] @{
Folder = $folder
User = $ntaccount.Value
Mode = $access.AccessControlType
}
}
}
$i++
}
Write-Progress -Activity "Getting Security" -Completed
the original script I started with would only look for explicit permissions, I am interested in both explicit and permissions granted via groups.
thanks for the quick response, and advice on checking the input
And thanks for catching my basic mistake
Ill update my code and test it again.
Once you start getting into territory of dealing with nested group memberships and consolidating multiple ACEs to figure out effective permissions, the code can get a bit complex. While it’s certainly possible to write a script to do all of that if you want to, you’d be kind of reinventing the wheel. In your shoes, I’d start looking at existing utilities for this sort of analysis, such as AccessChk from the SysInternals suite.
The PowerShell Access Control module will check effective access for a specified user (or users). If you’re interested, try this and see if it provides part of what you’re looking for:
dir c:\FolderName -Recurse -Directory | Get-EffectiveAccess -Principal UserName