When reviewing permissions on folders, it’s often important to not only know what groups have been assigned access, but to show the members of those groups as well (all in a single report). And what if those groups have nested groups? We should be able to recurse those as well.
This script achieves the following:
- Recurse all folders from the parent
- Checks the ACLs applied to every folder found
- Extrapolates any groups with ACLs and recurse any nested groups found
- Outputs the each users rights, including the group name that gave them access
The output is a CSV file, with the fields: <foldername> ^ <ACL Permissions> ^ <Group name or ‘Direct Assignment’> ^ <Users name>
Like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
# Define the parent folder to check permissions on $foldertosearch = "c:\temp\kamal"; # Where to save the results $exportfile = "c:\temp\kamal\permissions.csv" # Delimiter used in the output file - DO NOT use a comma $exportdelimiter = "^"; # Get all folder and sub-folder paths $parentfolder = @(get-item $foldertosearch); $subfolders = @(get-childitem $foldertosearch -recurse); $allfolders = $parentfolder + $subfolders; # Get domain name as a wildcard $domainwildcard = (get-addomain).netbiosname + "*"; # Recursive function to find groups and sub groups function get-subgroups ($groupname, $foldername, $rights) { # Get all members of the group $members = get-adgroup $groupname | get-adgroupmember; # Loop through each member foreach ($member in $members) { # If a sub-group is found, recurse if ($member.objectclass -eq "group") { get-subgroups $member.samaccountname $foldername $rights; } # If a user is found, export results if ($member.objectclass -eq "user") { $output = ($folder.fullname, $permission.filesystemrights, $groupname, $member.name) -join $script:exportdelimiter; $output >> $script:exportfile; } } } # Loop through each folder foreach ($folder in $allfolders) { # Get ACLS $acls = get-acl $folder.fullname; # Loop through each ACL on the folder foreach ($acl in $acls) { $access = $acl.access; # Loop through each permission within the ACL foreach ($permission in $access) { # Only check identities matching the domain name if ($permission.identityreference -like $domainwildcard) { # Remove the domain name from the identity $identity = ($permission.identityreference -split "\\")[1]; # Get AD Object $adobject = get-adobject -filter 'SamAccountName -eq $identity'; # If the identity is a group, recurse if ($adobject.objectclass -eq "group") { get-subgroups $identity $folder.fullname $permission.filesystemrights; } # If a user is found, export results if ($adobject.objectclass -eq "user") { $output = ($folder.fullname, $permission.filesystemrights, "Direct Assignment", $identity) -join $exportdelimiter; $output >> $exportfile; } } } } } |