Need newby help with filtering object property values

ryangh · May 21, 2021, 3:55pm

Hi there. I need to audit folder permissions, but just for a specific username, and possibly for specific permissions. I don’t know how to do the filtering part and the articles I’ve read about using where-object are still a little over my head. Here is the script I have so far:

$FolderPath = Get-ChildItem -Directory -Path "D:\SWLIB\Scripts\PowerShell\test" -Recurse -Force
$Output = @()
ForEach ($Folder in $FolderPath) {
    $Acl = Get-Acl -Path $Folder.FullName
    ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Output += New-Object -TypeName PSObject -Property $Properties 
}
}
$Output | Out-GridView

Maybe I can use a filter something like | Where-Object -FilterScript {$Access.IdentityReference -LIKE 'IUSR'} but I don’t understand where to place it in the script. Please let me know if this is a workable route to take and where I should put it. Thanks for any advice you can offer!

matt-bloomfield · May 21, 2021, 5:52pm

Honestly, there are better tools for this than PowerShell. Have a look at AccessChk and AccessEnum on Sysinternals.

ryangh · May 21, 2021, 6:30pm

Thanks for taking a look. I had looked at AccessChk earlier but it does not support wildcards, which took me down a rabbit hole before I decided to try PowerShell.

It’s definitely possible (and worth learning!) with PowerShell but I’m missing some fundamentals. I’d like to create an object and filter for a certain string in the user name, and a couple different permission types before I output it.

matt-bloomfield · May 21, 2021, 8:51pm

OK, well I don’t think I’d use Where-Object here. I’d use if.

I have reformatted your code as using += is now considered a bad practice.

$FolderPath = Get-ChildItem -Directory -Path "E:\Temp\Files" -Recurse -Force

$user = 'Admin'

$results = ForEach ($Folder in $FolderPath) {

    $Acl = Get-Acl -Path $Folder.FullName
    
    ForEach ($Access in $Acl.Access) {

        if ($Access.IdentityReference -like "*$user*" -or $Access.FileSystemRights -eq 'FullControl') {

              [PSCustomObject]@{

                'Folder Name' = $Folder.FullName
                'Group/User'  = $Access.IdentityReference
                'Permissions' = $Access.FileSystemRights
                'Inherited'   = $Access.IsInherited
            
              } #end object creation
          
        } # end if
    
    } #end foreach $access

} #end foreach $folder

$results | Out-GridView

Also worth bearing in mind that you could grab everything and filter in Out-GridView.

ryangh · May 21, 2021, 10:48pm

Ok, this is very helpful and the way it’s layed out helps me understand the flow. After replacing the path with my own it works just fine for checking FullControl. But for some reason it does not work when checking Modify permission. I’ll play around with it to see if I can get it to work.

$Access.FileSystemRights -eq 'Modify'

Thanks for your help!

matt-bloomfield · May 22, 2021, 9:14am

Looking at the output on my machine, the string for Modify rights are ‘Modify, Synchronize’. You would have to use

$Access.FileSystemRights -eq 'Modify, Synchronize'

or

$Access.FileSystemRights -like 'Modify*'

Topic		Replies	Views
Parent Folder Permissions PowerShell Help	5	102	November 9, 2016
searching/filtering/where-object PowerShell Help	6	162	June 30, 2015
Where-Object filtering problem PowerShell Help	8	139	June 10, 2015
Using Powershell to see folder permissions PowerShell Help	2	780	October 11, 2022
Find Folders a user has access to PowerShell Help	4	200	September 11, 2014

Need newby help with filtering object property values

Related Topics