Parent Folder Permissions

So i’ve been playing around with this script to audit file server folder ACL’s, and it works great, just returning too much data. What i was hoping i could do is filter out the folders where there are no special permissions than the parent folder, I think this would help me reduce the amount of entries into my table and allow me to manipulate it into something more readable… Basically just return ACL info on parent Folder and any special permissions on child objects not inherited by parent.

$connectionString = “Server=;”
$tableName = “FilePermissions”

function WriteSQL ($query)
{
if ($debug -eq $true) {Write-Host $query}
$Connection = New-Object System.Data.SqlClient.SqlConnection
$Connection.ConnectionString = $connectionString
$Connection.Open()
$Command = New-Object System.Data.SqlClient.SqlCommand
$command.Connection = $Connection
$command.CommandText = $query
$command.ExecuteNonQuery()
$connection.Close()
}

$ErrorActionPreference = “Continue”
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem
ForEach ($DriveLetter in $colDrives) {
$StartPath = "E:\Share"
Get-ChildItem -LiteralPath $StartPath -Recurse -Directory |
ForEach {
$FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $.PSPath)
(Get-Item -LiteralPath $FullPath).GetAccessControl() |
Select * -Expand Access |
Select @{N=‘ServerName’;E={$strComputer}},
@{N=‘FullPath’;E={$FullPath}},
@{N=‘Type’;E={If($FullPath.PSIsContainer -eq $True) {‘D’} Else {‘F’}}},
@{N=‘Owner’;E={$.Owner}},
@{N=‘Trustee’;E={$.IdentityReference}},
@{N=‘Inherited’;E={$.IsInherited}},
@{N=‘InheritanceFlags’;E={$.InheritanceFlags}},
@{N=‘AceFlag’;E={$.PropagationFlags}},
@{N=‘AceType’;E={$.AccessControlType}},
@{N=‘AccessMasks’;E={$.FileSystemRights}} } |

         %{
            $query = "INSERT INTO $tableName (servername,fullpath,type,owner,trustee,inherited,inheritanceflags,aceflag,acetype,accessmasks) VALUES ('$($_.servername)','$($_.fullpath)','$($_.type)','$($_.owner)','$($_.trustee)','$($_.inherited)','$($_.inheritanceflags)','$($_.aceflag)','$($_.acetype)','$($_.accessmasks)')"
            WriteSQL $query
         }

}

First, if you want to get acls of just some items under E:\Share, why you bother with drive letters?
Second, when you Get-ChildItems you already get item object and it’s FullName. do not need 2nd time call Get-Item
and thus, except sql, we get

Get-ChildItem E:\Share -Recurse | Foreach-Object {
  $i = $_;
  $a = $i.GetAccessControl()
  $a.Access |
    Where-Object { -Not $_.IsInherited } |
      Add-Member -PassThru -MemberType Noteproperty -Name FullName -Value $i.FullName |
      Add-Member -PassThru -MemberType Noteproperty -Name Container -Value $i.PSIsContainer |
      Add-Member -PassThru -MemberType Noteproperty -Name Owner -Value $a.Owner
}

the drive letter is irrelevant, just a place holder at this point. Its not that i only want some, its predicated on what the ACLs return, i just want to get the parent folders and only the acls on the child folders if they differ from parent

so you’re saying get rid of the literal path/full path ?

where would i insert/replace the code you given me?

I’d like to still keep the

Select @{N=‘ServerName’;E={$strComputer}},
@{N=‘FullPath’;E={$FullPath}},
@{N=‘Type’;E={If($FullPath.PSIsContainer -eq $True) {‘D’} Else {‘F’}}},
@{N=‘Owner’;E={$.Owner}},
@{N=‘Trustee’;E={$.IdentityReference}},
@{N=‘Inherited’;E={$.IsInherited}},
@{N=‘InheritanceFlags’;E={$.InheritanceFlags}},
@{N=‘AceFlag’;E={$.PropagationFlags}},
@{N=‘AceType’;E={$.AccessControlType}},
@{N=‘AccessMasks’;E={$_.FileSystemRights}} }

if possible so it matches my sql table