1
votes

I've recently had the task of updating the permissions structures on our user home drives. I have a directory called home and a folder per user below home. There are two groups at the Home level, and these are forced down to each of the user folders. The user folders are set to inherit from their parent, and then the user is set to access only their folder.

I'm trying to write a powershell script which will show me if any folders have a specific ACL left behind. This is what I ended up with, and it just seems to return the sub-folder list for the specified directory where as I want only the folders which have the specified ACL.

$path = "\\server\share"
$folders = Get-ChildItem $path | where {$_.psiscontainer}

foreach ($folder in $folders)


{
$domain = "domname"
$aclname = "ACLname"
$aclfullname ="$domain\$aclname"

Get-Acl | select -ExpandProperty Access | where {$_.identityreference -contains $aclfullname}

Write-Host $folder.FullName

}

If I use the following, it returns only one result, but it returns the ACL and not the folder name.

$path = "\\node1\home"
$domain = "morgan-cole"
$aclname = "gsherlock"
$aclfullname ="$domain\$aclname"

Get-ChildItem $path | where {$_.psiscontainer} | Get-Acl | select -ExpandProperty Access | where {$_.identityreference -contains $aclfullname}

Any ideas? Hopefully my requirements make sense.

1

1 Answers

1
votes

This will do the trick:

Get-ChildItem $path | where {$_.psiscontainer} | where { $_ | Get-Acl | select -ExpandProperty Access | where {$_.IdentityReference -contains $aclfullname}}

Some explanation:

The reason why yours was not working the way you wanted in the second example is that it starts off as a folder in the pipeline, but is then transformed to an ACL that matches what you are looking for. However, it is now transformed into an ACL and you wanted to folder - not the actual ACL.

So, the "trick" is to keep the folder in the pipeline but filter the folder based on the ACL. This is achieved by nesting another pipeline inside the second where-object clause.

PS. There is probably a way to combine the first part that looks for psicontainer into the second where clause but let's leave that for another day.