Need newby help with filtering object property values

Hi there. I need to audit folder permissions, but just for a specific username, and possibly for specific permissions. I don’t know how to do the filtering part and the articles I’ve read about using where-object are still a little over my head. Here is the script I have so far:

$FolderPath = Get-ChildItem -Directory -Path "D:\SWLIB\Scripts\PowerShell\test" -Recurse -Force
$Output = @()
ForEach ($Folder in $FolderPath) {
    $Acl = Get-Acl -Path $Folder.FullName
    ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Output += New-Object -TypeName PSObject -Property $Properties 
$Output | Out-GridView

Maybe I can use a filter something like | Where-Object -FilterScript {$Access.IdentityReference -LIKE 'IUSR'} but I don’t understand where to place it in the script. Please let me know if this is a workable route to take and where I should put it. Thanks for any advice you can offer!

Honestly, there are better tools for this than PowerShell. Have a look at AccessChk and AccessEnum on Sysinternals.

Thanks for taking a look. I had looked at AccessChk earlier but it does not support wildcards, which took me down a rabbit hole before I decided to try PowerShell.

It’s definitely possible (and worth learning!) with PowerShell but I’m missing some fundamentals. I’d like to create an object and filter for a certain string in the user name, and a couple different permission types before I output it.

OK, well I don’t think I’d use Where-Object here. I’d use if.

I have reformatted your code as using += is now considered a bad practice.

$FolderPath = Get-ChildItem -Directory -Path "E:\Temp\Files" -Recurse -Force

$user = 'Admin'

$results = ForEach ($Folder in $FolderPath) {

    $Acl = Get-Acl -Path $Folder.FullName
    ForEach ($Access in $Acl.Access) {

        if ($Access.IdentityReference -like "*$user*" -or $Access.FileSystemRights -eq 'FullControl') {


                'Folder Name' = $Folder.FullName
                'Group/User'  = $Access.IdentityReference
                'Permissions' = $Access.FileSystemRights
                'Inherited'   = $Access.IsInherited
              } #end object creation
        } # end if
    } #end foreach $access

} #end foreach $folder

$results | Out-GridView

Also worth bearing in mind that you could grab everything and filter in Out-GridView.


Ok, this is very helpful and the way it’s layed out helps me understand the flow. After replacing the path with my own it works just fine for checking FullControl. But for some reason it does not work when checking Modify permission. I’ll play around with it to see if I can get it to work.

$Access.FileSystemRights -eq 'Modify'

Thanks for your help!

Looking at the output on my machine, the string for Modify rights are ‘Modify, Synchronize’. You would have to use

$Access.FileSystemRights -eq 'Modify, Synchronize'


$Access.FileSystemRights -like 'Modify*'
1 Like