0
votes

I am creating a script that should check the file server for shares, and should list user's that have any kind of access control type (allow / deny) and their rights on the share. I've successfully managed to create collection of objects that have data that I want, but I have issues formatting them in the way I want.

Current situation, how the collection looks like

Path     Identity Access Rights
Share1  User1    Allow     Full Control
Share1  Group1  Allow     Full Control
Share2  Group1  Deny     Full Control
Share2  Group2  Allow     Modify

I am fine with having shares appear in multiple objects, with one identity (user or a group) per object, but I would like to expand groups with its members, when the $_.Identity in pipe is a group. But I have issues getting there

My code example is practically non existing, I just tried to check every object in the pipe if it's Identity can be used with Get-ADGroupMember but that's it

$Collection | ForEachObject { if (Get-ADGroupMember $_.Identity) {Get-ADGroupMember $_.Identity }} ...

Desired solution should be like this:

Path     Identity          Access Rights
Share1  User1             Allow     Full Control
Share1  User1,User2  Allow     Full Control
Share2  User1,User2  Deny     Full Control
Share2  User2,User3  Allow     Modify

In this test example, Group1 is consisted of User1 and User2, while Group2 is consisted of User2 and User3.

Any help is appreciated.

2
Not to answer the question but make a suggestion. You should keep the group name in the output as well as the nested users. That way you know where the membership is coming from.Matt

2 Answers

1
votes

I think what I would do is to generate the value on the pipeline like this:

$Collection | Select Path,@{l='Identity';e={ if (Get-ADGroupMember $_.Identity) {(Get-ADGroupMember $_.Identity) -join ", "}else{$_.Identity}}},Access,Rights
0
votes

I was working on a very similar script. Rather than bore you with my code, here's where I found assistance in sorting out the nested groups.

Sort Nested Groups

Basically, you create a function to get all the group members and then test each item. If it is a group, call the same function and pass it the newly found group name.

Regarding:

$_.identity

I used

$_.objectclass

That will tell you if the get-adgroupmember result is a user or group. It will error on users, but I just suppress the errors at runtime with

$erroractionpreference = "silentlycontinue"

That's probably not best practice, but it works for me.

I tested this with circular nesting and it does not get stuck in an infinite loop. It actually handled it perfectly by returning the individual results only once. Probably has to do with safeguards built into windows for cirucular nesting situations.

Some of the info here might be helpful as well:

Circular Nesting Consequences - ServerFault