I’m trying to find a way to use PowerShell to scan the file server and show me where every instance of this certain Active Directory group is.
something like this?
Get-ADGroup -Identity ‘Your Ad-Group’ -Properties * | Select-Object -Property Name,CanonicalName,DistinguishedName
I think he means where the group is used in the file ACLs. You should be able to google “powershell ad group where used” and find a number of solutions.
Yeah, this is unfortunately really hard. You’re going to have to use Get-Acl against literally every file and folder on the server, and only keep the ones where your intended group exists. Windows isn’t well-designed for this task.
Here is a script I created to fetch ACL from one folder. If you turn it to function and the loop list all your folders with get-childitem -recurse -directory and call the newly created function for each folder.
$folder = "c:\temp" $csv = "$($folder.replace('\','_').replace(':','').replace(' ','')).csv" $collection = New-Object System.Collections.Generic.List[System.Object] $PermCollection = New-Object System.Collections.Generic.List[System.Object] foreach($access in (Get-Acl $FOLDER).Access) { $filerights = $access.FileSystemRights.ToString(); $inheritanceFlg = $access.InheritanceFlags.ToString(); if($inheritanceFlg -eq 'ContainerInherit') { $filerights = $filerights.replace('ReadAndExecute','ListDirectory'); } $output = $access.IdentityReference.ToString() + ';' + $filerights; $collection.add($output) } $col = $collection | where {$_ -like "MYDOM*" } foreach ($c in $col) { $ADOC = $c.split(";")[0].split("\")[1] $ADOACL = $($c.split(";")[1]) -replace ", Synchronize","" $ADO = get-adobject -filter {CN -eq $ADOC} if ($ADO.objectClass -eq "user") { # write-output "$($ADO.name) $($ado.objectClass) $ADOACL" $obj = Get-ADUser $($ADO.name) -prop * | select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={"MappedUser"};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"} $permCollection.add($obj) } if ($ADO.objectClass -eq "group") { # write-output "$($ADO.name) $($ado.objectClass) $ADOACL" Get-ADGroupMember -Identity $($ADO.name) -Recursive | Get-ADUser -prop * | select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={$($ADO.name)};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"} | foreach { $permCollection.add($_) } } } $permCollection | export-csv $csv -notypeinformation -encoding "UTF8" -Delimiter ";" ""| out-file $csv -Append "Exact Folder ACL"| out-file $csv -Append $collection | out-file $csv -Append
I’ve run this only once. I need to test it out a little more and then wrap it to a function
$RootFolder = "C:\path" $identity = "domain\groupname" #Look root folder ACL $FolderCollection = New-Object System.Collections.Generic.List[System.Object] $Folder = $RootFolder foreach($access in (Get-Acl $Folder).Access) { $filerights = $access.FileSystemRights.ToString(); $inheritanceFlg = $access.InheritanceFlags.ToString(); if($inheritanceFlg -eq 'ContainerInherit') { $filerights = $filerights.replace('ReadAndExecute','ListDirectory'); } #If if ($($access.IdentityReference.ToString()) -like "$identity") { $objProp = [ordered]@{ folder = $folder group = $access.IdentityReference.ToString() Permission = $filerights inheritance = $access.IsInherited } $CollectionObject = New-Object -TypeName PSObject -Property $ObjProp $FolderCollection.add($CollectionObject) } #If } #foreach($access in (Get-Acl $FOLDER).Access) #Go through all sub directories and take only non inherited permissions Get-ChildItem -Path $RootFolder -Directory -Recurse | foreach { $Folder = $_.FullName foreach($access in (Get-Acl $Folder).Access) { if($($access.IsInherited) -eq $false) { $filerights = $access.FileSystemRights.ToString(); $inheritanceFlg = $access.InheritanceFlags.ToString(); if($inheritanceFlg -eq 'ContainerInherit') { $filerights = $filerights.replace('ReadAndExecute','ListDirectory'); } #If if ($($access.IdentityReference.ToString()) -like "$identity") { $objProp = [ordered]@{ folder = $folder group = $access.IdentityReference.ToString() Permission = $filerights inheritance = $access.IsInherited } $CollectionObject = New-Object -TypeName PSObject -Property $ObjProp $FolderCollection.add($CollectionObject) } #If } } #foreach($access in (Get-Acl $FOLDER).Access) } #Get-ChildItem -Path $RootFolder -Directory -Recurse $FolderCollection