How do I recursively check Folder Permissions?

When reviewing permissions on folders, it’s often important to not only know what groups have been assigned access, but to show the members of those groups as well (all in a single report). And what if those groups have nested groups? We should be able to recurse those as well.

This script achieves the following:

Recurse all folders from the parent
Checks the ACLs applied to every folder found
Extrapolates any groups with ACLs and recurse any nested groups found
Outputs the each users rights, including the group name that gave them access

The output is a CSV file, with the fields: <foldername> ^ <ACL Permissions> ^ <Group name or ‘Direct Assignment’> ^ <Users name>

Like this:

# Define the parent folder to check permissions on
$foldertosearch = "c:\temp\kamal";

# Where to save the results
$exportfile = "c:\temp\kamal\permissions.csv"

# Delimiter used in the output file - DO NOT use a comma
$exportdelimiter = "^";

# Get all folder and sub-folder paths
$parentfolder = @(get-item $foldertosearch);
$subfolders = @(get-childitem $foldertosearch -recurse);
$allfolders = $parentfolder + $subfolders;

# Get domain name as a wildcard
$domainwildcard = (get-addomain).netbiosname + "*";


# Recursive function to find groups and sub groups
function get-subgroups ($groupname, $foldername, $rights) {

    # Get all members of the group    
    $members = get-adgroup $groupname | get-adgroupmember;

    # Loop through each member
    foreach ($member in $members) {

        # If a sub-group is found, recurse
        if ($member.objectclass -eq "group") {

            get-subgroups $member.samaccountname $foldername $rights;
        }

        # If a user is found, export results
        if ($member.objectclass -eq "user") {

            $output = ($folder.fullname, $permission.filesystemrights, $groupname, $member.name) -join $script:exportdelimiter;
            $output >> $script:exportfile;
        }
    }
}

# Loop through each folder
foreach ($folder in $allfolders) {

    # Get ACLS
    $acls = get-acl $folder.fullname;
    
    # Loop through each ACL on the folder
    foreach ($acl in $acls) {
 
        $access = $acl.access;

        # Loop through each permission within the ACL
        foreach ($permission in $access) {

            # Only check identities matching the domain name
            if ($permission.identityreference -like $domainwildcard) {

                # Remove the domain name from the identity
                $identity = ($permission.identityreference -split "\\")[1];

                # Get AD Object
                $adobject = get-adobject -filter 'SamAccountName -eq $identity';
           
                # If the identity is a group, recurse
                if ($adobject.objectclass -eq "group") {

                  get-subgroups $identity $folder.fullname $permission.filesystemrights;
                    
                }

                # If a user is found, export results
                if ($adobject.objectclass -eq "user") {

                    $output = ($folder.fullname, $permission.filesystemrights, "Direct Assignment", $identity) -join $exportdelimiter;
                    $output >> $exportfile;
                }
            }
        }
    }
}

# Define the parent folder to check permissions on

$foldertosearch = "c:\temp\kamal";

# Where to save the results

$exportfile = "c:\temp\kamal\permissions.csv"

# Delimiter used in the output file - DO NOT use a comma

$exportdelimiter = "^";

# Get all folder and sub-folder paths

$parentfolder = @(get-item $foldertosearch);

$subfolders = @(get-childitem $foldertosearch -recurse);

$allfolders = $parentfolder + $subfolders;

# Get domain name as a wildcard

$domainwildcard = (get-addomain).netbiosname + "*";

# Recursive function to find groups and sub groups

function get-subgroups ($groupname, $foldername, $rights) {

# Get all members of the group

$members = get-adgroup $groupname | get-adgroupmember;

# Loop through each member

foreach ($member in $members) {

# If a sub-group is found, recurse

if ($member.objectclass -eq "group") {

get-subgroups $member.samaccountname $foldername $rights;

}

# If a user is found, export results

if ($member.objectclass -eq "user") {

$output = ($folder.fullname, $permission.filesystemrights, $groupname, $member.name) -join $script:exportdelimiter;

$output >> $script:exportfile;

}

# Loop through each folder

foreach ($folder in $allfolders) {

# Get ACLS

$acls = get-acl $folder.fullname;

# Loop through each ACL on the folder

foreach ($acl in $acls) {

$access = $acl.access;

# Loop through each permission within the ACL

foreach ($permission in $access) {

# Only check identities matching the domain name

if ($permission.identityreference -like $domainwildcard) {

# Remove the domain name from the identity

$identity = ($permission.identityreference -split "\\")[1];

# Get AD Object

$adobject = get-adobject -filter 'SamAccountName -eq $identity';

# If the identity is a group, recurse

if ($adobject.objectclass -eq "group") {

get-subgroups $identity $folder.fullname $permission.filesystemrights;

}

# If a user is found, export results

if ($adobject.objectclass -eq "user") {

$output = ($folder.fullname, $permission.filesystemrights, "Direct Assignment", $identity) -join $exportdelimiter;

$output >> $exportfile;

}

HKEY_LOCAL_MACHINE

Every problem is an opportunity.

How do I recursively check Folder Permissions?

Leave a Reply Cancel reply