How to Trim String?

New user to the forums here that I’ll be spending a lot of time on.

I’m looking for a way to separate string values in order to put them into a variable later on.

I would be using a Get-ACL command in conjunction with a formatting table to extract from an IdentityReference to acquire certain letters within a word

For example:
$var = (Get-Acl PSDrive).access | ft identityreference

I have tried using Substrings, ConverttingtoStrings, Indexing and other functions that aren’t available to me. I have no idea why some of them are unavailable to me as they seem to be basic parsing functions.

For Example :

Select-String : Cannot find path
‘PSDrive:\Microsoft.PowerShell.Commands.Internal.Format.FormatStartData’ because it does not exist.

Any help would be appreciated! Thank you and I hope to contribute to the community.

1 Like

Hello @anagy,
Try to use Select-Object -ExpandProperty IdentityReference instead of ft and then use your parsing functions.

$var = (Get-Acl PSDrive).access | Select-Object -ExpandProperty IdentityReference

Hope that helps.

thank you for the suggestion, i’ll try that now. Appreciate the help!

I was looking into Select-Object functions as well and it seemed that it got me close to the solution but never on point. I’ll let you know how it performs.

So I’ve gone ahead and input the command, however, I believe my output is having an issue being detected as String.

It seems that from using $var.IndexOf(‘M’) returns a value of -1 ( which means it cannot find any presence of the letter M in the output )

The output data has the letter M at the beginning of the output, what am I doing wrong?

Should I output this text to a file and then import it as string? Am I able to convert vasts outputs into string within a Powershell session?

For some reason I can’t use the TrimFirst command though I see other powershell users able to execute it with success? Any idea whats going on?

You should show your updated command that didn’t work.

…to extract from an IdentityReference, to acquire certain letters within a word…

@anagy - I took this to mean that you might be looking to work with the elements in an array, which is the output of ~.IdentityReference. Is this correct?

Demo code

# Assign property to an array.
[array]$x = ((Get-ACL).Access).IdentityReference.Value;

# Element access using an index value (0-indexed).
$y = $x[2]; $y

# Use array properties.

# Use match with regular expressions to find (or even extract from) elements.
$x -match "^NT";

# Lastly, a demo using Path parameter (duplicates can exist; check the Access property result set).
((Get-ACL -Path "A:\MyFileDirectory\index.html").Access).IdentityReference.Value;

Regex is useful and well supported in PowerShell, but its syntax is a little deep to wade into here. See About_regular_expressions and Groups captures and substitutions from the same article when you are ready to parse strings out of other strings.

My goal is to get the result of the IdentityReference parameter, which in my case ends up being multiple results of Domain\, Domain\, Domain\ Etc

Looking to cut out the “Domain\” section and put the rest of it into a variable that I can use to call on with Get-ADUser / Get-ADGroupMember.

It looks like your suggested code helps isolate the result of IdentityReference and pinpoint the use of the specified section using the element index.

I get lost at the y variable solution, however, any chance to clarify?


Certainly! My code isn’t a solution, yet were things with which to explore the data. The $y = $x[2]; $y statement was to show that an element of array x can be assigned to the variable y—the optional portion after the semicolon returns the value of y to the screen.

It appears that you are doing security audits—finding who has access to items in a file system and cross-checking that with Active Directory.

I work in a very large organization with a very deep AD forest; and working with the different domains can be tricky. Regex definitely helps as it is compact and speedy, albeit arcane. But, you don’t have to script a lot of code to perform robust actions on strings.

Draft as much accurate pseudo-code as you can (remove or replace all Business Sensitive information) that we all can review. Script it here in a markdown code block so it can be copied in the correct code format. Here’s a quick reference for more on that: Code Block with Syntax Highlighting.

Then, we’ll see what we get up to!

This could probably be turned into an array…##

$folders = @('PSDrive:\File1','PSDrive:\File2','PSDrive:\File3')
foreach ($folder in $folders) 


#shows the user the folder and their respective privs
write-Host $folder
(get-acl $folder).Access | Where-Object AccessControlType -eq Allow | ft identityreference,filesystemrights,accesscontroltype 

#the idea is if there is a result with the phrase Sec. or sec., we would want to retain that phrase and use it in a future variable
if ((get-acl $folder).Access |Where-Object IdentityReference -like "*Sec.*"){


###Stuff in development, I almost have the ADGroup and GroupMember fields ready, just waiting to dump a variable into it###
##$sec (get-acl $folder).Access | Where-Object IdentityReference -like "Sec.*" ##
#Get-ADGroup -Identity | ft GroupCategory, Name, SamAccountName, DistinguishedName
#Get-ADGroupMember -Identity | ft name, SamAccountName, distinguishedName

#$sec=(Get-ACL PSDrive:).access | Where-Object IdentityReference -match "sec."| #Select-Object -ExpandProperty IdentityReference

###A simpler way to read the code###

$folders = @('PSDriveFolder1','PSDrive:Folder2','PSDrive:Folder3')
foreach ($folder in $folders) 


write-Host $folder
(get-acl $folder).Access | Where-Object AccessControlType -eq Allow | ft identityreference,filesystemrights,accesscontroltype 

if ((get-acl $folder).Access |Where-Object IdentityReference -like "Sec.*")


I’ve gone ahead and updated my script to account for the lack of an array.

(Get-ChildItem -Path PSDrive:\).FullName |

$array += $_


foreach ($i in $array){
(get-acl $i).Access | Where-Object AccessControlType -eq Allow | ft identityreference,filesystemrights,accesscontroltype 


I don’t understand whatfor this could be helpful but I guess you want something like this:

$folderList = @('PSDrive:\File1', 'PSDrive:\File2', 'PSDrive:\File3')
$IdentityReferenceValueList = 
foreach ($folder in $folderList) {
    Get-Item -Path $folder | 
        Get-Acl | 
            Select-Object -ExpandProperty Access | 
                Select-Object -ExpandProperty IdentityReference | 
                    ForEach-Object { ($_ -split '\\')[1] } |
                        Where-Object {$_ -like 'sec.*'}

It’s for what the user above mentioned, analysis.

I must say your code is incredibly clean. Appreciate the feedback, looks like i’ll have to sort out the non-sec categories.

What does that mean? Does it answer your actual question? Could you please keep in mind that we cannot see your screen and that we cannot read your mind?

Thanks in advance.

When I put in the code, it outputs, as I mentioned above, Domain/ as an example.

With your code, it has successfully eliminated the ‘Domain/’ portion of the output leaving me with usernames and entries of which I’m trying isolate just the entries and put into a variable.

I’ve been attempting to use Where-Object -Property IdentityReference -eq “sec.*” at different variations, however, it’s not removing the other usernames in the lists.

An example would be :

The output your script provided me looks like


I’m only trying to obtain and filter out the others in order to inject it into a variable that I will use later for an ADGroup and ADGroupMember cmdlet.

Hope this helps clarify my perspective.

-eq” is the wrong comparison operator. Use “-like” instead. And please read the help

Read it completely including the examples. Even if you don’t need it now. :wink:

(Get-ChildItem -Path PSDrive:\).FullName |

$array += $_

foreach ($i in $array){
(get-acl $i).Access | 
Where-Object AccessControlType -eq Allow |
ft identityreference,filesystemrights,accesscontroltype 

if ((get-acl $i).Access |Where-Object IdentityReference -like "*Sec.*"){

Get-Item -Path $i |
Get-Acl |
Select-Object -ExpandProperty Access |
Select-Object -ExpandProperty IdentityReference |
  ForEach-Object { ($_ -split '\\')[1] 
$IdentityReferenceValueList += $_  
$IdentityReferenceValueList  ## - i know this isnt functional yet, still trying to figure out

This is where I’m at right now, trying to take output values that results :


While trying to isolate the portion into an array.

I’ve been using switches such as ‘like’ and others however they do not modify the list output.

As @dicey mentioned, I’m attempting to determine which security.groups have access to certain files in a directory as well as any other users, however, if there is a security group assigned, it should grab that name and run it against ADGroup and ADGroupMember commands.

My original question was around the TrimString function which you showed me that we’re able to manipulate outputs of objects that have a common delimiter.

However, now I have to remove outputs that I have no use for and find a way to variable/array the rest.

##My Feeble Attempts##

ForEach-Object { ($_ -split ‘\’)[1];Select-String $_ “sec."
ForEach-Object { ($_ -split ‘\’)[1];Out-String;Select-String $_ "sec.

ForEach-Object { ($_ -split ‘\’)[1] ; ForEach-Object {$_ -notlike ‘sec.’}
ForEach-Object { ($_ -split ‘\’)[1] ; ForEach-Object {$_ -like 'sec.

I changed my code suggestion above. Try it!

I urgently recommend for you to make big step back and start to learn the very basics of PowerShell first. You cannot learn a complex technology like a programming language by guessing or by piecing together some arbitrary snipets of code you found at the internet and you actually do not understand.