Need help with powershell
Tagged with PowerShell. Surprised no one has jumped on this yet.
The Script you have gives you the path with ANY permissions that aren't inherited. Using the Get-ACL, it looks at anything that has permissions assigned to the folder. So it's looking in there and telling you "This path has somebody with permissions that are not inherited."
I take it the question you are wanting to answer is: WHO has permissions that are not inherited?
I could benefit from this. A simple ACL auditing script could come in handy.
GitHub link:
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
The Above script outputs a csv file (named myFolderInheritance.csv) that looks something like the following when run against C:\Program Files... (this is just a snippet)
C:\Program Files\Internet Explorer, CREATOR OWNER,False C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False C:\Program Files\Internet Explorer, BUILTIN\Administrators,False C:\Program Files\Internet Explorer, BUILTIN\Administrators,False C:\Program Files\Internet Explorer, BUILTIN\Users,False C:\Program Files\Internet Explorer, BUILTIN\Users,False C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False
@scottalanmiller said in Need help with powershell:
Tagged with PowerShell. Surprised no one has jumped on this yet.
I did not have time yesterday to research an answer.
@dafyre said in Need help with powershell:
GitHub link:
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks! -
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
GitHub link:
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!How are you wanting the result to look?
@dafyre said in Need help with powershell:
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
GitHub link:
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!How are you wanting the result to look?
The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.
I am looking into this post right now as it was brought up in Spiceworks.
It shows the result I am hoping for where non-inheritance = false and inherited = true. -
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
@stess said in Need help with powershell:
@dafyre said in Need help with powershell:
GitHub link:
<# .SYNOPSIS File / Folder Auditing script to determine which users have permissions that are *NOT* inherited. .DESCRIPTION Date UpdatedBy Details 08/10/2017 BW Initial coding. #> $path="C:\TEMP" $outFile="myFolderInheritance.csv" $nonInherited=new-object System.Collections.ArrayList $folders=dir $path -Directory -recurse|get-acl| select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}}, @{Label='User';Expression={$_.Access.identityReference}}, @{Label='IsInherited';Expression={$_.Access.IsInherited}}| where {$_.IsInherited -eq $false} foreach ($item in $folders) { $pass=0 write-host "Checking folder $($item.path)" foreach ($user in $item.user) { #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])" $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])") $pass=$pass++ } } $nonInherited|out-file -FilePath $outFile write-host "Done."
These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
Thanks!How are you wanting the result to look?
The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.
I am looking into this post right now as it was brought up in Spiceworks.
It shows the result I am hoping for where non-inheritance = false and inherited = true.Ah, okay. I thought you wanted to only see the ones where Inherited=False...
So you want to see everything, and whether or not it is inherited?
Edit: Also for the CSV File generated, the layout is
Folder, User, Is Inherited
Is Inhertied is True or False.