Hello,
I am looking for a script that does what Accesschk does in listing folders on a file server and lists those active directory groups which are assigned to each folder. I would also like to include the members of those groups. I have found a variety of potential scripts but can’t find a concise script that provides what I need. Can anyone help?
I see the following but I don’t need the the pspath or pasparentpath
Get-ChildItem \server\uncpathgoeshere -recurse | ForEach-Object {Get-Acl $_.FullName} | select pspath, psparentpath, pschildname, path, owner, group | Export-CSV C:\folder_perms.csv
I modified it to the following it’s not quite write and I don’t know how to fix it.
Looking for : Folder path\AD Privilege group assigned to that folder\list of members of the respective AD privilege group
Get-ChildItem \server\uncpath -recurse | ForEach-Object {Get-Acl $.FullName} | select pspath, path, Get-aduser –filter * -properties DisplayName, Memberof | DisplayName, @{name=”MemberOf”;expression={$.memberof -join “;”}} | Export-CSV C:\folder_perms.csv
Thanks,
Roger
As for…
I see the following but I don't need the the pspath or pasparentpath
… then remove them from the select.
Get-ChildItem C:\Deployment -recurse |
ForEach-Object {Get-Acl $_.FullName} |
select pschildname, path, owner, group -First 3 | ft -AutoSize
# Results
PSChildName Path Owner Group
----------- ---- ----- -----
EventLog... Microsoft.PowerShell.Core\... BUILTIN\Administrators CONTOSO\Domain Users
CAConfig Microsoft.PowerShell.Core\... BUILTIN\Administrators CONTOSO\Domain Users
CRL_Info Microsoft.PowerShell.Core\... BUILTIN\Administrators CONTOSO\Domain Users
This …
| select pspath, path, Get-aduser –filter * -properties DisplayName, Memberof
… is wrong, because you cannot use a cmdlet ‘Get-ADUser in this case’ as a property. so this would never work.
This…
| DisplayName, @{name=”MemberOf”;expression={$_.memberof -join “;”}} | Export-CSV C:\folder_perms.csv
… is not correct syntax.
It should be this.
| Select-Object -Property DisplayName, @{name=”MemberOf”;expression={$_.memberof -join “;”}}
So, to get to where you want to be, create one liners for each step to make sure you are getting what you’d expect, then refactor as one script.
You are going to have to work though loops to get all of what you are after.
Put all your folder into a collection.
Loop to get each permission of the individual group.
Loop again to get all users of that group.
A rough example:
($FolderList = Get-ChildItem C:\Deployment -recurse | Select-Object -First 1) | Format-Table -AutoSize
# Results
Directory: C:\Deployment
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 4/15/2018 11:53 PM EventLog_Captures
$FolderList | ForEach-Object {Get-Acl $_.FullName}
# Results
Directory: C:\Deployment
Path Owner Access
---- ----- ------
EventLog_Captures BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
($FolderOwners = ($FolderList | ForEach-Object {Get-Acl $_.FullName}).Owner)
# Results
BUILTIN\Administrators
($FolderOwners | %{Get-ADGroupMember -Identity ($_.split('\')[1]) | Select-Object -Property SamAccountName})
# Results
SamAccountName
--------------
Domain Admins
Enterprise Admins
Administrator
Then refactor into something more elegant.
Hello,
Thank you for your response.
Sorry but I am having a little difficulty in following your example.
The following piece works OK
Get-ChildItem \server\UNCpath -recurse | ForEach-Object {Get-Acl $_.FullName} | select pschildname, path, owner, group –First 10
I then just want to list the ADGroup and the ADGroupMembers with access to each directory, not each file.
It looks like you are saying I could add ($FolderOwners | %{Get-ADGroupMember -Identity ($_.split('')[1]) | Select-Object -Property SamAccountName}) but this isn’t working if I do the following:
Get-ChildItem \server\UNCpath -recurse | ForEach-Object {Get-Acl $.FullName} | select pschildname, path, owner, group –First 10 | ($FolderOwners | %{Get-ADGroupMember -Identity ($.split('')[1]) | Select-Object -Property SamAccountName})| Export-CSV C:\TestFolder_perms.csv
What am I missing?
Thanks,
Roger
As for …
I then just want to list the ADGroup and the ADGroupMembers with access to each directory, not each file.
… by default of course, Get-ChildItem will get everything. If you just want the folders, then you have to specific that in the first Get-ChildItem request.
Get-ChildItem -Path D:\Temp -Directory -Recurse
You just cannot pass collection down the pipeline in this fashion, and expect PS to figure it out. YOu have to tell it what to do with the collection / object. If you have a collection, you have to iterate / loop them all items in that collection to get specific data from each item in the collection.
Roughly, I mean, something like this, hashtable example
(Get-ChildItem -Path 'C:\Deployment' -Directory -recurse | Select-Object -First 2) |
%{
# Process each folder for target information
$Values = [ordered]@{
'FolderName' = $_.FullName
'FolderOwner' = (Get-Acl $_.FullName).Owner
# Get the members of the FolderOwner
'Users ' = (Get-ADGroupMember -Identity (((Get-Acl $_.FullName).Owner).split('\')[1])). SamAccountName
}
"`n"
# Send values to the screen
$Values
}
# Results
Name Value
---- -----
FolderName C:\Deployment\EventLog_Captures
FolderOwner BUILTIN\Administrators
Users {Domain Admins, Enterprise Admins, Administrator}
Name Value
---- -----
FolderName C:\Deployment\Config
FolderOwner BUILTIN\Administrators
Users {Domain Admins, Enterprise Admins, Administrator}
Now, because of how I have the above, to get this into a CSV (table-like) layout, if that is your end goal, that requires going at this a differently, than what I show here. Yet, you’ll still going to need the ForLoop effort.
Hello,
I tried the following using your example but this failed with the error below:
(Get-ChildItem -Path ‘D:\DirectoryName’ -Directory -recurse | Select-Object -First 2) |
%{
# Process each folder for target information
$Values = [ordered]@{
‘FolderName’ = $.FullName
‘FolderOwner’ = (Get-Acl $.FullName).Owner
# Get the members of the FolderOwner
'Users ' = (Get-ADGroupMember -Identity (((Get-Acl $_.FullName).Owner).split('\')[1])).SamAccountName
}
"`n"
# Send values to the screen
$Values
}
Get-ADGroupMember : Cannot find an object with identity: ‘AdminNameadmin’ under: ‘DC=domain,DC=local’.
At line:9 char:17
Get-ADGroupMember : Cannot validate argument on parameter ‘Identity’. The argument is null or empty. Provide an argument that is not null or empty, and then try the
command again.
At line:9 char:45
I’m not sure what I am doing wrong. As with the first part of your example the following works ok but the rest does not. Other than replacing the name for the directory name, should I be changing any other values before running?
(Get-ChildItem -Path ‘D:\directoryName’ -Directory -recurse | Select-Object -First 2)
Thanks,
Roger
[Get-ADGroupMember], ParameterBindingValidationException