Use a like compare within a -in/-contains comparison

I’m workoing on a script for some fileshare auditing. Initially, I was only concerned with who was able to modify and satisfied my needs. As I’m wrapping up my work with this script I wanted to make it more generic so that it could be reused in the future for say a read permission audit. Which is where this question comes from.

 

In my original code I had written the below line. $path is a unc path. Permission1 was originally hard coded to modify and permission2 was hard coded to fullcontrol. Swapping these for the following variables works no problem (as long as I defined them ahead of time which I have)

[pre]

$identities = get-acl -Path $path | foreach {$.access} | select filesystemrights, identityreference | where {$.filesystemrights -like “$permission1” -or $_.filesystemrights -like “$permission2”} | select -expand identityreference

[/pre]

But if I open the door to auditing read, then I need to search for fullcontrol, modify, and also read. So I thought instead of adding a 3rd comparison, and then potentially needing this line multiple times… what if I created a list of possible values and then compared against that.

So here comes a new variable called $permissions which could be set as so. $permissions = ‘modify’,‘fullcontrol’ and my new line should look something like this.

[pre]

get-acl -Path $path | foreach {$.access} | select filesystemrights, identityreference | where {$.filesystemrights -in $permissions} | select -expand identityreference

[/pre]

It half works. It still returns the 2 identities which match fullcontrol exactly. But it won’t return the identities that have rights of “DeleteSubdirectoriesAndFiles, Modify, Synchronize” or some combination where modify is burried in there. Is there a way to do this? Or should I just have 3 separate commands that are each written to accept 1,2, or 3 values to -or

 

Thanks

You could use -match with regular expression.

$permissions = '(.+modify)|(.+fullcontrol)'
"DeleteSubdirectoriesAndFiles, Modify, Synchronize" -match $permissions

[quote quote=199877]You could use -match with regular expression.

<textarea class=“ace_text-input” style=“opacity: 0; height: 18px; width: 6.59781px; left: 44px; top: 0px;” spellcheck=“false” wrap=“off”></textarea>

1
2
$permissions = '(.+modify)|(.+fullcontrol)'
"DeleteSubdirectoriesAndFiles, Modify, Synchronize" -match $permissions
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[/quote] That's a great idea, I didn't think of that.

A quick update:

I just had to make one small adjustment. I switched the + to * because the value has the potential to start out the string. Your code was only returning 3 of the 6 values it should have been. 2 of the 3 missing were only fullcontrol and the 3rd started with modify. So the wild card is needed over the +. Otherwise it works great. Thanks again

 

Here’s the return of my particular share:
FullControl
ReadAndExecute,Synchronize
DeleteSubdirectoriesAndFiles,Modify,Synchronize
Modify,Synchronize
FullControl
DeleteSubdirectoriesAndFiles,Modify,Synchronize
ReadAndExecute,Synchronize
DeleteSubdirectoriesAndFiles,Modify,Synchronize

And the code if anyone was interested. I stripped out my path and domain so you’d either need to update my default values or pass them in when you call the script. Nothing fancy, but it works. On my particular share it bombs out for read because EVERYONE has read access and it exceeds the size limit that ADGroupmember will get. If this ever becomes a big deal I’ll switch back to dsget.

[pre]

[CmdletBinding()]
param(
$path = “\Server\Share”,

[ValidateSet(“Read”, “Write”, “FullControl”)]
$permission=“Write”,

$domain = ‘DomainName’
)

if ($permission -eq ‘Write’) {$permissions = ‘(.*modify)|(.*fullcontrol)’}
elseif ($permission -eq ‘fullcontrol’){$permissions = ‘.*fullcontrol’}
elseif ($permission -eq ‘read’){$permissions = ‘(.*read|.*modify)|(.*fullcontrol)’}

$identities = get-acl -Path $path | foreach {$.access} | select filesystemrights, identityreference | where {$.filesystemrights -match $permissions} | select -expand identityreference
$identities = $identities | select -ExpandProperty value

$groups = @()
$users = @()
$others = @()

foreach ($identity in $identities)
{
$identity = $identity.replace($domain,’’)
$type = Get-ADObject -Filter “SamAccountName -eq ‘$identity’” | select -expand objectclass
if ($type -eq “group”)
{
$groups += Get-ADGroupMember -Identity $identity -Recursive | select Name,@{n=“Username”;e={$.samaccountname}},@{n=“GrantedFrom”;e={$identity}}
}
elseif ($type -eq “user”)
{
$users += get-aduser -Identity $identity | select Name,@{n=“Username”;e={$
.samaccountname}},@{n=“GrantedFrom”;e={“Direct Access”}}
}
else
{
$others += “$identity could not be found in ActiveDirectory”
}
}

$groups | select @{N=“Name”;E={$.GrantedFrom}},@{N=“Username”;E={$.GrantedFrom}},GrantedFrom -Unique
$users
$others

[/pre]