Get list of folder permission with usernames

AndreasHGW · March 24, 2023, 7:34am

Hello

does anybody have a script getting the folder permission of a directory, which shows not only the usernames and groups with there user rights, but also the members of the groups with usernames

Thanks Andreas

Olaf · March 24, 2023, 11:21am

This forum is for scripting questions rather than script requests. We do not write customized and ready to use scripts or solutions on request.

We actually expect you to make an own attempt at the first place to get your task done or to solve your problem. If you have done so already please document here what exactly you have done and show your code. Then we probably might be able to help you step further.

rvertrees · March 24, 2023, 2:27pm

As for the users inside groups part of the request. One hint I would have is to make a functions that looks at members and if there is a group the function can call itself to evaluate the members of the group. That way it acts as a recursive member lookup.

neemobeer · March 24, 2023, 10:18pm

Get-ChildItem + Get-Acl are your friends

AndreasHGW · March 27, 2023, 5:35am

What I have until now is this function. It works, but it shows me only the user-IDs from the first group. All other groups having access rights will be ignored and I don’t know why.

function GetAccessRights_withUser-ID
{
clear
write-host "Ermittle die Verzeichnisrechte eines Verzeichnisses"
write-host "---------------------------------------------------"
write-host ""
write-host "Das Ergebnis wird mit Angabe der User-IDs und der Rechte angezeigt."
write-host ""
$Verzeichnis = read-host "Wie heisst das Verzeichnis"
write-host ""
write-host "... ermittle die Rechte für das Verzeichnis"
write-host "... Das Ergebnis wird auch in $ExportDatei abgespeichert."

$aktuellerScriptpfad = Split-Path -Parent $PSCommandPath
$ExportDatei = $aktuellerScriptpfad + '\Results\' + $Dateiname + '_Rechte.txt'
$Results = @()
write-host ""

Write-Verbose "$(Get-Date): Script begins!"
Write-Verbose "Getting domain name..."
$Domain = (Get-ADDomain).NetBIOSName

#$Results += 'Ermittle Verzeichnisrechte'
#$Results += $Verzeichnis

Write-host "... ermittle ACLs für Verzeichnis $Verzeichnis"

 $Folders = Get-Item -Path $Verzeichnis | Where { $_.PSisContainer }

Write-Verbose "Gathering ACL's for $($Folders.Count) folders..."
ForEach ($Folder in $Folders)
{   Write-Verbose "Working on $($Folder.FullName)..."
    $ACLs = Get-Acl $Folder.FullName | ForEach-Object { $_.Access }
    ForEach ($ACL in $ACLs)
    {  If ($ACL.IdentityReference -match "\\")
        {   If ($ACL.IdentityReference.Value.Split("\")[0].ToUpper() -eq $Domain.ToUpper())
            {   $Name = $ACL.IdentityReference.Value.Split("\")[1]
                If ((Get-ADObject -Filter 'SamAccountName -eq $Name').ObjectClass -eq "group")
                {   ForEach ($User in (Get-ADGroupMember $Name -Recursive | Select -ExpandProperty Name))
                    {   
                    write-host "User = $($user)    Gruppe = $($Name) "
                    $Result = New-Object PSObject -Property @{
                            Path = $Folder.Fullname
                            Group = $Name
                            User = $User
                            FileSystemRights = $ACL.FileSystemRights
                            AccessControlType = $ACL.AccessControlType
                            Inherited = $ACL.IsInherited
                        }
                      write-host "Result = ($($Result))"
                      $Results = $Results + ($Result | Select Path,User,FileSystemRights)  
                      write-host "Results = $Results"
                    }
                }
                Else
                {    $Result = New-Object PSObject -Property @{
                        Path = $Folder.Fullname
                        Group = ""
                        User = Get-ADUser $Name | Select -ExpandProperty Name
                        FileSystemRights = $ACL.FileSystemRights
                        AccessControlType = $ACL.AccessControlType
                        Inherited = $ACL.IsInherited
                    }
                    $Results += ($($Result)) | Select Path,User,FileSystemRights 
                 }
            }
            Else
            {   $Result = New-Object PSObject -Property @{
                    Path = $Folder.Fullname
                    Group = ""
                    User = $ACL.IdentityReference.Value
                    FileSystemRights = $ACL.FileSystemRights
                    AccessControlType = $ACL.AccessControlType
                    Inherited = $ACL.IsInherited
                }
                $Result | Select Path,Group,User,FileSystemRights,AccessControlType,Inherited
                $Results += ($($Result)) | Select Path,User,FileSystemRights 
            }
        }
    }
}

$Results | OUT-File $Exportdatei

if (Test-Path $NotepadPfad) { & 'C:\Program Files\Notepad++\notepad++.exe' $Exportdatei }

write-host ""
$Eingabe = read-host "Zurück zum Startmenü mit Enter"
if ($Eingabe -eq '') {StartMenue}

} # Ende function GetAccessRights_withUser-ID

AndreasHGW · March 27, 2023, 6:07am

I just find out why other groups are ignored. I did not see, that there was a NotSpecified: … [Get-ADGroupMember], ADException.

And this Exeption is (according to this source Fail to run Get-ADGroupMember for domain local group - Windows Server | Microsoft Learn) because in these AD groups are members from different domains.

Any help how I can solve this problem getting members from different domains?

neemobeer · March 27, 2023, 2:02pm

If it’s a different domain, assuming here same forest but there is a trust? You would need to locate the domain controllers and then query one of them for the groups.

Get-ADForest to list out the domains
Match on the domain name
Get-ADDomainController -Discover -Domain <target.domain.name> to discover domain controllers
Use on of those domain controllers in Get-AD… -Server