Need help with powershell

stess

I am looking for a way to write a powershell script that will return result for all folder that contain users or groups that are not inherited. I tried to run the script for non-inherited folder, but some folder are inherited...while have users/groups that were added later on without disabling the inheritance of the folder.

This is the script I found:
DIR "\path\abc" -directory -recurse | GET-ACL | where {$_.Access.IsInherited -eq $false}|Select-Object PSPATH |Export-Csv "c:\export.csv" -NoTypeInformation

Problem with this script is it read the folder inheritance, and not the users/groups. What is the powershell cmdlet to target users/groups without inheritance?

Below is an example of the folder in question.
https://i.imgur.com/ng58DDi.png

scottalanmiller

Tagged with PowerShell. Surprised no one has jumped on this yet.

dafyre

The Script you have gives you the path with ANY permissions that aren't inherited. Using the Get-ACL, it looks at anything that has permissions assigned to the folder. So it's looking in there and telling you "This path has somebody with permissions that are not inherited."

I take it the question you are wanting to answer is: WHO has permissions that are not inherited?

wrx7m

I could benefit from this. A simple ACL auditing script could come in handy.

dafyre

GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

<#
.SYNOPSIS
  File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.

.DESCRIPTION
   Date UpdatedBy Details
   08/10/2017 BW  Initial coding.
#>

$path="C:\TEMP"
$outFile="myFolderInheritance.csv"

$nonInherited=new-object System.Collections.ArrayList

$folders=dir $path -Directory -recurse|get-acl|
select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
@{Label='User';Expression={$_.Access.identityReference}},
@{Label='IsInherited';Expression={$_.Access.IsInherited}}|
where {$_.IsInherited -eq $false}

foreach ($item in $folders) {
 $pass=0
 write-host "Checking folder $($item.path)"
 foreach ($user in $item.user) {
  #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
  $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
  $pass=$pass++
 }
}

$nonInherited|out-file -FilePath $outFile


write-host "Done."

dafyre

The Above script outputs a csv file (named myFolderInheritance.csv) that looks something like the following when run against C:\Program Files... (this is just a snippet)

C:\Program Files\Internet Explorer, CREATOR OWNER,False
C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False
C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False
C:\Program Files\Internet Explorer, BUILTIN\Administrators,False
C:\Program Files\Internet Explorer, BUILTIN\Administrators,False
C:\Program Files\Internet Explorer, BUILTIN\Users,False
C:\Program Files\Internet Explorer, BUILTIN\Users,False
C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False
C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False
C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False
C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False
C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False
C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False

EddieJennings

@scottalanmiller said in Need help with powershell:

Tagged with PowerShell. Surprised no one has jumped on this yet.

I did not have time yesterday to research an answer.

stess

@dafyre said in Need help with powershell:

GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

<#
.SYNOPSIS
  File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.

.DESCRIPTION
   Date UpdatedBy Details
   08/10/2017 BW  Initial coding.
#>

$path="C:\TEMP"
$outFile="myFolderInheritance.csv"

$nonInherited=new-object System.Collections.ArrayList

$folders=dir $path -Directory -recurse|get-acl|
select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
@{Label='User';Expression={$_.Access.identityReference}},
@{Label='IsInherited';Expression={$_.Access.IsInherited}}|
where {$_.IsInherited -eq $false}

foreach ($item in $folders) {
 $pass=0
 write-host "Checking folder $($item.path)"
 foreach ($user in $item.user) {
  #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
  $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
  $pass=$pass++
 }
}

$nonInherited|out-file -FilePath $outFile


write-host "Done."

These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!

dafyre

@stess said in Need help with powershell:

@dafyre said in Need help with powershell:

GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

<#
.SYNOPSIS
  File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.

.DESCRIPTION
   Date UpdatedBy Details
   08/10/2017 BW  Initial coding.
#>

$path="C:\TEMP"
$outFile="myFolderInheritance.csv"

$nonInherited=new-object System.Collections.ArrayList

$folders=dir $path -Directory -recurse|get-acl|
select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
@{Label='User';Expression={$_.Access.identityReference}},
@{Label='IsInherited';Expression={$_.Access.IsInherited}}|
where {$_.IsInherited -eq $false}

foreach ($item in $folders) {
 $pass=0
 write-host "Checking folder $($item.path)"
 foreach ($user in $item.user) {
  #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
  $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
  $pass=$pass++
 }
}

$nonInherited|out-file -FilePath $outFile


write-host "Done."

These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!

How are you wanting the result to look?

stess

@dafyre said in Need help with powershell:

@stess said in Need help with powershell:

@dafyre said in Need help with powershell:

GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

<#
.SYNOPSIS
  File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.

.DESCRIPTION
   Date UpdatedBy Details
   08/10/2017 BW  Initial coding.
#>

$path="C:\TEMP"
$outFile="myFolderInheritance.csv"

$nonInherited=new-object System.Collections.ArrayList

$folders=dir $path -Directory -recurse|get-acl|
select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
@{Label='User';Expression={$_.Access.identityReference}},
@{Label='IsInherited';Expression={$_.Access.IsInherited}}|
where {$_.IsInherited -eq $false}

foreach ($item in $folders) {
 $pass=0
 write-host "Checking folder $($item.path)"
 foreach ($user in $item.user) {
  #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
  $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
  $pass=$pass++
 }
}

$nonInherited|out-file -FilePath $outFile


write-host "Done."

These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!

How are you wanting the result to look?

The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.

I am looking into this post right now as it was brought up in Spiceworks.
It shows the result I am hoping for where non-inheritance = false and inherited = true.

dafyre

@stess said in Need help with powershell:

@dafyre said in Need help with powershell:

@stess said in Need help with powershell:

@dafyre said in Need help with powershell:

GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

<#
.SYNOPSIS
  File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.

.DESCRIPTION
   Date UpdatedBy Details
   08/10/2017 BW  Initial coding.
#>

$path="C:\TEMP"
$outFile="myFolderInheritance.csv"

$nonInherited=new-object System.Collections.ArrayList

$folders=dir $path -Directory -recurse|get-acl|
select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
@{Label='User';Expression={$_.Access.identityReference}},
@{Label='IsInherited';Expression={$_.Access.IsInherited}}|
where {$_.IsInherited -eq $false}

foreach ($item in $folders) {
 $pass=0
 write-host "Checking folder $($item.path)"
 foreach ($user in $item.user) {
  #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
  $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
  $pass=$pass++
 }
}

$nonInherited|out-file -FilePath $outFile


write-host "Done."

These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!

How are you wanting the result to look?

The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.

I am looking into this post right now as it was brought up in Spiceworks.
It shows the result I am hoping for where non-inheritance = false and inherited = true.

Ah, okay. I thought you wanted to only see the ones where Inherited=False...

So you want to see everything, and whether or not it is inherited?

Edit: Also for the CSV File generated, the layout is

Folder, User, Is Inherited 

Is Inhertied is True or False.