Finding folders where ACL Inheritance is off
ksinc11
get-acl command and $acl.AreAccessRulesProtected to determine if inheritance
is on or off. I am trying to write a script that will recurse a directory
tree and look at inheritanceon the subfolders. If inheritance is ON ($False)
then ignore the subfolder, if inheritance is OFF($True) then output (append),
to a csv, the complete path (c:\Folder\SubFolder), Owner, & all
Users/Groups with Permission Levels.
I don't want to change the inheritance, just output the information if it is
OFF.
Thanks for the Help.
Kevin
ksinc11
Hopefully someone can point me in the right direction.
get-childitem c:\scripts -recurse|where-object{$_.psiscontainer} |
foreach-object{$acl=get-acl} if (!$acl.AreAccessRulesProtected){get-acl}
I get the following error.
ForEach-Object : Cannot bind parameter 'Process'. Cannot convert the "if"
value
of type "System.String" to type "System.Management.Automation.ScriptBlock".
At line:1 char:82
+ get-childitem c:\scripts -recurse|where-object{$_.psiscontainer}|
foreach-ob
ject <<<< {$acl=get-acl} if (!$acl.AreAccessRulesProtected){get-acl}
+ CategoryInfo : InvalidArgument: (:) [ForEach-Object], Parameter
BindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh
ell.Commands.ForEachObjectCommand
The following generates a list of the subfolders.
get-childitem c:\scripts -recurse|where-object{$_.psiscontainer}
The following just brings up a new prompt
get-childitem c:\scripts -recurse|where-object{$_.psiscontainer} |
foreach-object{$acl=get-acl} if (!$acl.AreAccessRulesProtected)
Again, thanks for the help.
Kevin
Robert Robelo
Try this:
Get-ChildItem c:\ | ? {$_.PSIsContainer} | ? {
Get-Acl $_.FullName | % {
$_.GetAccessRules($true, $true, 'System.Security.Principal.NTAccount') |
? {!$_.IsInherited}
}
}
Get-ChildItem c:\ | ? {$_.PSIsContainer} |
? {!(Get-Acl $_.FullName).AreAccessRulesProtected}
# - - - - - - - - - - - - - #
<#
You can creaate filters that'll save you some typing if you do this
often. Save them in your $Profile to have them available in every session.
#>
filter Dirs {
if ($_.PSIsContainer) {$_}
}
filter IsInherited {
param([Switch]$not)
$acl = Get-Acl $_.fullname
$result = $acl.GetAccessRules($true,$true,'Security.Principal.NTAccount') |
Where-Object {if ($Not) {-not $_.IsInherited} else {$_.IsInherited}}
if ($result) {$_}
}
filter AccessRulesProtected {
param([Switch]$Not)
$protected = (Get-Acl $_.FullName).AreAccessRulesProtected
$result = if ($Not) {-not $protected} else {$protected}
if ($result) {$_}
}
# ...and use them like this:
Get-ChildItem c:\ | Dirs | AccessRulesProtected
Get-ChildItem c:\ | Dirs | AccessRulesProtected -not
Get-ChildItem c:\ | Dirs | IsInherited -not
Get-ChildItem c:\ | Dirs | IsInherited
--
Robert
ksinc11
Thank you for the help, this first block of code works well, and outputs a
list folders where inheritance is turned off.
Now I just need to get the script toalso output the "Owner" information &
the "Security Permissions" (users, groups, & access levels) that are applied
to these folders.
Thanks again for the help.
Kevin
ksinc11
When I run the following, I get the some of the ACL information.
Unfortunately the AccessToString field only shows the first user/group in the
ACL, and not all of the.
PS C:\scripts> Get-ChildItem c:\scripts -recurse | ? {$_.PSIsContainer} | ?
{Get-Acl $_.FullName | % {$_.GetAccessRules($true, $true,
'System.Security.Principal.NTAccount') | ? {!$_.IsInherited}}} | get-acl |
export-csv output.csv -noType
Any suggestions?
Thanks.
Kevin
ksinc11
Nevermind, it helps to expand the cells in Excel, all the users and groups
were there.
Thank you for all the help.
Kevin