I saw a tweet this morning that was a PowerShell one-liner for capturing folder permissions to a text file. There's nothing wrong with it but it's hard to be truly productive in 140 characters so I thought I would take the idea and run with it a little bit. Here are some ways you might want to extend the concept.<\/p>\n
The basic premise is to pass a bunch of folders and save the results somewhere. For the sake of flexibility and clarity I'll save my ACL results to a variable.<\/p>\n
[cc lang=\"PowerShell\"]
\n$root=\"c:\\scripts\"
\n$acldata=dir $root -Recurse | Where {$_.PSIsContainer} | Get-ACL
\n [\/cc]<\/p>\n
I always like seeing what kind of information is available so let me check the first item in $acldata.<\/p>\n
[cc lang=\"DOS\"]
\nPS C:\\> $acldata[0] | Select *<\/p>\n
PSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\scripts\\ad
\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\scripts
\nPSChildName : ad
\nPSProvider : Microsoft.PowerShell.Core\\FileSystem
\nAccessToString : BUILTIN\\Administrators Allow FullControl
\n BUILTIN\\Administrators Allow 268435456
\n NT AUTHORITY\\SYSTEM Allow FullControl
\n NT AUTHORITY\\SYSTEM Allow 268435456
\n BUILTIN\\Users Allow ReadAndExecute, Synchronize
\n NT AUTHORITY\\Authenticated Users Allow Modify, Synchronize
\n NT AUTHORITY\\Authenticated Users Allow -536805376
\nAuditToString :
\nPath : Microsoft.PowerShell.Core\\FileSystem::C:\\scripts\\ad
\nOwner : SERENITY\\Jeff
\nGroup : SERENITY\\None
\nAccess : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAcces
\n sRule, System.Security.AccessControl.FileSystemAccessRule...}
\nSddl : O:S-1-5-21-2858895768-3673612314-3109562570-1000G:S-1-5-21-2858895768-3673612314-3109562570-513D:AI(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;
\n OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
\nAccessRightType : System.Security.AccessControl.FileSystemRights
\nAccessRuleType : System.Security.AccessControl.FileSystemAccessRule
\nAuditRuleType : System.Security.AccessControl.FileSystemAuditRule
\nAreAccessRulesProtected : False
\nAreAuditRulesProtected : False
\nAreAccessRulesCanonical : True
\nAreAuditRulesCanonical : True
\n [\/cc]<\/p>\n
Ok. Lots of good stuff. For a simple report, I can grab a few key properties, format as a list and send to a file.<\/p>\n
[cc lang=\"PowerShell\"]
\n$acldata | Format-List Path,Owner,AccessToString,SDDL | Out-File ACLReport.txt
\n [\/cc]<\/p>\n
But we can do better. For example, I wish the path was just the file system path. No problem, I'll use a hash table and define a new property. While I'm at it I'll improve the AccessToString property.<\/p>\n
[cc lang=\"PowerShell\"]
\n$aclData | Select @{Name=\"Path\";Expression={$_.PSPath.Substring($_.PSPath.IndexOf(\":\")+2) }},
\nOwner,@{Name=\"ACL\";Expression={$_.AccessToString}},SDDL | Out-File ACLReport.txt
\n[\/cc]<\/p>\n
The downside is that I end up with a text file, which I suppose is fine for small folder structures, and it is reader-friendly. But it is not easy to search or extract information from. For me, I think the better approach is to archive the data in an XML format using Export-Clixml. Export-CSV is not a good option here because the Access property is a collection of access rule objects and CSVs can't properly capture this level of complexity. <\/p>\n
[cc lang=\"Powershell\"]
\n$aclData | Select @{Name=\"Path\";Expression={$_.PSPath.Substring($_.PSPath.IndexOf(\":\")+2) }},
\nOwner,Access,AccessToString,Sddl,@{Name=\"Reported\";Expression={(Get-Date).ToShortDateString()}},
\n@{Name=\"Computername\";Expression={$env:computername}} | Export-Clixml e:\\temp\\acldata.xml
\n [\/cc]<\/p>\n
I've also added a few properties to capture the computername and the date of ALC scan. Now I have richer data, stored in a text file for archival or research purposes. Later on, the file can be imported back into PowerShell.<\/p>\n
[cc lang=\"DOS\"]
\nPS C:\\> $acl=Import-Clixml E:\\acldata.xml
\n [\/cc]<\/p>\n
Now I can search the data using PowerShell.<\/p>\n
[cc lang=\"DOS\"]
\nPS C:\\> $acl | select Path,Owner<\/p>\n
Path Owner
\n---- -----
\nC:\\scripts\\ad SERENITY\\Jeff
\nC:\\scripts\\de-DE BUILTIN\\Administrators
\nC:\\scripts\\Demos BUILTIN\\Administrators
\nC:\\scripts\\en-US BUILTIN\\Administrators
\nC:\\scripts\\modhelp BUILTIN\\Administrators
\nC:\\scripts\\PowerShellBingo BUILTIN\\Administrators
\nC:\\scripts\\PS-TFM BUILTIN\\Administrators
\nC:\\scripts\\ad\\New SERENITY\\Jeff
\n [\/cc]<\/p>\n
Or perhaps I want to find folders where Users have FullControl. <\/p>\n
[cc lang=\"PowerShell\"]
\nPS C:\\> $acl | where {$_.access | where {$_.FileSystemRights -match \"FullControl\" -AND $_.IdentityReference -match \"Users\"}} |
\n>> format-list Path,AccessToString
\n>><\/p>\n
Path : C:\\scripts\\Demos
\nAccessToString : NT AUTHORITY\\Authenticated Users Allow FullControl
\n BUILTIN\\Users Allow FullControl
\n BUILTIN\\Administrators Allow FullControl
\n BUILTIN\\Administrators Allow 268435456
\n NT AUTHORITY\\SYSTEM Allow FullControl
\n NT AUTHORITY\\SYSTEM Allow 268435456
\n BUILTIN\\Users Allow ReadAndExecute, Synchronize
\n NT AUTHORITY\\Authenticated Users Allow Modify, Synchronize
\n NT AUTHORITY\\Authenticated Users Allow -536805376
\n [\/cc]<\/p>\n
This is a little tricky because the Access property is a collection of nested rule objects, but it works.<\/p>\n
The bottom line is, when archiving information consider who is going to use it and how. Take a little extra time to include information that might be outside the scope of the primary task, but potentially useful as I did by including a date and computername. This type of context may be invaluable when you look at the data a year from now. PowerShell makes it easy to do, so why aren't you?<\/p>\n","protected":false},"excerpt":{"rendered":"
I saw a tweet this morning that was a PowerShell one-liner for capturing folder permissions to a text file. There’s nothing wrong with it but it’s hard to be truly productive in 140 characters so I thought I would take the idea and run with it a little bit. Here are some ways you might…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[60,75,8],"tags":[294,293,241,534,540,206],"class_list":["post-1492","post","type-post","status-publish","format-standard","hentry","category-best-practices","category-powershell-v2-0","category-scripting","tag-export-clixml","tag-get-acl","tag-out-file","tag-powershell","tag-scripting","tag-xml"],"yoast_head":"\n