Change ACL permissions out

0
votes

Is it possible to change the permissions output file context from:

Account Folder Path IdentityReference AccessControlType IsInherited InheritanceFlags PropagationFlags
NT AUTHORITY\SYSTEM AllowFALSEContainerInherit ObjectInheritNone \uklonfap11\data\apps\ACCESS2 NT AUTHORITY\SYSTEM Allow FALSE ContainerInherit ObjectInherit None BUILTIN\Administrators AllowFALSEContainerInherit ObjectInheritNone \uklonfap11\data\apps\ACCESS2 BUILTIN\Administrators Allow FALSE ContainerInherit ObjectInherit None

To something like:

Account Ace String Object Path SYSTEM Allow Full Control, this folder, subfolders and files (Inherited) \UKSHEFAP08\e$\Data\Global\PHE test cases\back up of phe\Test cases\Benefit statements Everyone Allow Modify, this folder, subfolders and files (Inherited) \UKSHEFAP08\e$\Data\Global\PHE test cases\back up of phe\Test cases\Benefit statements

Does this make sense or it requires a complete change to the code: a snippet of the code is:

$OutFile = "C:\Users\munjanga\Documents\AoN Project\Execute\Output.csv"
$Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
Del $OutFile
Add-Content -Value $Header -Path $OutFile 

$RootPath = "C:\Users\munjanga\Documents\Operations Orchestration"

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

$isInherited = @{
 $true  = 'Inherited'
 $false = 'Not Inherited'
}

$inheritance = @{
 0 = 'files only'
 1 = 'this folder and subfolders'
 2 = 'this folder and files'
  3 = 'subfolders and files'
}

$fldr = $Folder.FullName

$Folders | % {
$fldr = $_.FullName
Get-Acl $fldr | select -Expand Access |
 select @{n='Account';e={$_.IdentityReference}},
     @{n='ACE String';e={"{0} {1}, {2} ({3})" -f $_.AccessControlType,
       $_.FileSystemRights, $inheritance[$_.InheritanceFlags],
       $isInherited[$_.IsInherited]}},
     @{n='Object Path';e={$fldr}}}
1
powershell
Looks like you want a CSV file. If so, don't reinvent the wheel. Use Select-Object or format as custom table. Then export with Export-Csv. - Alexander Obersht

1 Answers

0
votes

You could use calculated properties for this:

$fldr = $Folder.FullName
Get-Acl $fldr | select -Expand Access |
  select @{n='Account';e={$_.IdentityReference}},
         @{n='ACE String';e={"{0} {1}, {2} ({3})" -f $_.AccessControlType,
           $_.FileSystemRights, $_.InheritanceFlags, $_.IsInherited}},
         @{n='Object Path';e={$fldr}}

Custom text can be provided via hashtables, e.g.:

$isInherited = @{
  $true  = 'Inherited'
  $false = 'Not Inherited'
}

$inheritance = @{
  0 = 'files only'
  1 = 'this folder and subfolders'
  2 = 'this folder and files'
  3 = 'subfolders and files'
}

$fldr = $Folder.FullName
Get-Acl $fldr | select -Expand Access |
  select @{n='Account';e={$_.IdentityReference}},
         @{n='ACE String';e={"{0} {1}, {2} ({3})" -f $_.AccessControlType,
           $_.FileSystemRights, $inheritance[$_.InheritanceFlags.value__],
           $isInherited[$_.IsInherited]}},
         @{n='Object Path';e={$fldr}}

However, permissions displayed in the GUI sometimes consist of more than a single ACE, so there is no simple way to achieve exactly what you want. You'd have to evaluate all ACEs of any given ACL and merge the ones matching particular criteria into a single display record.

As a side note: you shouldn't hand-craft CSVs. Let PowerShell do the work for you:

$Folders | % {
  $fldr = $_.FullName
  Get-Acl $fldr | select -Expand Access | ...
} | Export-Csv $OutFile -NoType