PowerShell Get-ACL with SamAccountName values

0
votes

I'm trying to collect folder permissions to a csv file with Powershell. My problem is that I'd need the results to contain both the SamAccountName and FileSystemRights.

I tried two different method. The first I came up with was a simple approach that gave me IdentityReference and FileSystemRights, but I couldn't find any working method that can get SamAccountName from IdentityReference. The second one I found on the internet was much more sophisticated. It collects all the accounts that has access to the folder, but it doesn't show FileSystemRights and I couldn't figure out how to change it to do so.

My own solution

(Get-Acl "FolderPath").Access | Select-Object IdentityReference, FileSystemRights

The solution I found

Get-Acl $UncPath | Select-Object -ExpandProperty Access | Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } | Select-Object -ExpandProperty IdentityReference | ForEach-Object { $_.Translate('System.Security.Principal.SecurityIdentifier').Value } | Get-ADGroup -ErrorAction SilentlyContinue | get-adgroupmember | select-object SamAccountName | Format-Table | Out-String

Is there any working method that can get me a result where I can see SamAccountName and FileSystemRights?

Thank you in advance.

1
powershell
Have a look at the common parameter -PipelineVariable See this mcpmag article and/or read Get-Help about_CommonParametersuser6811411
I read the article, and admitting that I'm a newbie in PowerShell, I can't see how this could help me solving this particular problem.sgtGiggsy
Piping with several steps and expanding properties lets you lose access to former properties, the article shows how to circumvent this with the -PipelineVariable.user6811411
Well, to me the first method with some solution to convert IdentityReference to SamAccountName would be enough. I only tried that long pipelined code, because I couldn't get the first method work as I wanted.sgtGiggsy

1 Answers

0
votes
$UncPath = 'E:\temp\test'

$all = Get-Acl $UncPath |
            Select -ExpandProperty Access |
            Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } |
            Select-Object @{ Name = 'Identity'; Expression = { $_.IdentityReference -replace "\w+\\(.+)", '$1' } }, FileSystemRights

# Here you can get Users ACL
$distinct_users = $all | 
            Select-Object Identity, @{ Name = 'sAMAccountName'; Expression = { (Get-ADUser -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
            Where-Object sAMAccountName -ne $null
# Here we will expand group acls
 $groups = $all | 
            Select-Object Identity, @{ Name = 'sAMAccountName'; Expression = { (Get-ADGroup -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
            Where-Object sAMAccountName -ne $null            
# now we will get groups memebership
$group_users = @()
Foreach($group in $groups){
    Get-ADGroupMember -Identity $group.Identity | ForEach-Object { $group_users += [PSCustomObject]@{ 
                                                                                        'Identity' = $group.Identity
                                                                                        'sAMAccountName' = $_.sAMAccountName
                                                                                        'FileSystemRights' = $group.FileSystemRights
                                                                                    } }

}

$everyone = $distinct_users + $group_users
$everyone | Export-Csv -Path D:\example.csv

Check $everyone variable it will contain 3 columns: Identity as it was in the ACL, sAMAccountName and FileSystem Rights.