0
votes

I'm trying to collect folder permissions to a csv file with Powershell. My problem is that I'd need the results to contain both the SamAccountName and FileSystemRights.

I tried two different method. The first I came up with was a simple approach that gave me IdentityReference and FileSystemRights, but I couldn't find any working method that can get SamAccountName from IdentityReference. The second one I found on the internet was much more sophisticated. It collects all the accounts that has access to the folder, but it doesn't show FileSystemRights and I couldn't figure out how to change it to do so.

My own solution

(Get-Acl "FolderPath").Access | Select-Object IdentityReference, FileSystemRights

The solution I found

Get-Acl $UncPath | Select-Object -ExpandProperty Access | Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } | Select-Object -ExpandProperty IdentityReference | ForEach-Object { $_.Translate('System.Security.Principal.SecurityIdentifier').Value } | Get-ADGroup -ErrorAction SilentlyContinue | get-adgroupmember | select-object SamAccountName | Format-Table | Out-String

Is there any working method that can get me a result where I can see SamAccountName and FileSystemRights?

Thank you in advance.

1
Have a look at the common parameter -PipelineVariable See this mcpmag article and/or read Get-Help about_CommonParameters - user6811411
I read the article, and admitting that I'm a newbie in PowerShell, I can't see how this could help me solving this particular problem. - sgtGiggsy
Piping with several steps and expanding properties lets you lose access to former properties, the article shows how to circumvent this with the -PipelineVariable. - user6811411
Well, to me the first method with some solution to convert IdentityReference to SamAccountName would be enough. I only tried that long pipelined code, because I couldn't get the first method work as I wanted. - sgtGiggsy

1 Answers

0
votes
$UncPath = 'E:\temp\test'

$all = Get-Acl $UncPath |
            Select -ExpandProperty Access |
            Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } |
            Select-Object @{ Name = 'Identity'; Expression = { $_.IdentityReference -replace "\w+\\(.+)", '$1' } }, FileSystemRights

# Here you can get Users ACL
$distinct_users = $all | 
            Select-Object Identity, @{ Name = 'sAMAccountName'; Expression = { (Get-ADUser -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
            Where-Object sAMAccountName -ne $null
# Here we will expand group acls
 $groups = $all | 
            Select-Object Identity, @{ Name = 'sAMAccountName'; Expression = { (Get-ADGroup -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
            Where-Object sAMAccountName -ne $null            
# now we will get groups memebership
$group_users = @()
Foreach($group in $groups){
    Get-ADGroupMember -Identity $group.Identity | ForEach-Object { $group_users += [PSCustomObject]@{ 
                                                                                        'Identity' = $group.Identity
                                                                                        'sAMAccountName' = $_.sAMAccountName
                                                                                        'FileSystemRights' = $group.FileSystemRights
                                                                                    } }

}

$everyone = $distinct_users + $group_users
$everyone | Export-Csv -Path D:\example.csv

Check $everyone variable it will contain 3 columns: Identity as it was in the ACL, sAMAccountName and FileSystem Rights.