Need help with powershell
-
Tagged with PowerShell. Surprised no one has jumped on this yet.
-
The Script you have gives you the path with ANY permissions that aren't inherited. Using the Get-ACL, it looks at anything that has permissions assigned to the folder. So it's looking in there and telling you "This path has somebody with permissions that are not inherited."
I take it the question you are wanting to answer is: WHO has permissions that are not inherited?
-
I could benefit from this. A simple ACL auditing script could come in handy.
-
GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
-
The Above script outputs a csv file (named myFolderInheritance.csv) that looks something like the following when run against C:\Program Files... (this is just a snippet)
C:\Program Files\Internet Explorer, CREATOR OWNER,False C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False C:\Program Files\Internet Explorer, BUILTIN\Administrators,False C:\Program Files\Internet Explorer, BUILTIN\Administrators,False C:\Program Files\Internet Explorer, BUILTIN\Users,False C:\Program Files\Internet Explorer, BUILTIN\Users,False C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False
-
@scottalanmiller said in Need help with powershell:
Tagged with PowerShell. Surprised no one has jumped on this yet.
I did not have time yesterday to research an answer.
-
@dafyre said in Need help with powershell:
GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks! -
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!How are you wanting the result to look?
-
@dafyre said in Need help with powershell:
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!How are you wanting the result to look?
The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.
I am looking into this post right now as it was brought up in Spiceworks.
It shows the result I am hoping for where non-inheritance = false and inherited = true. -
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!How are you wanting the result to look?
The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.
I am looking into this post right now as it was brought up in Spiceworks.
It shows the result I am hoping for where non-inheritance = false and inherited = true.Ah, okay. I thought you wanted to only see the ones where Inherited=False...
So you want to see everything, and whether or not it is inherited?
Edit: Also for the CSV File generated, the layout is
Folder, User, Is Inherited
Is Inhertied is True or False.