I have a small old file server with 2 TB of users data and I dont which users have which permission on the folder structure.
There are some tools but most of them are paid, but even in some paid tools I wont be able to do some filtering like exclude Inherided Folder or do not include some certain account like "System or Creator Owner...", so why to buy anything when there is PowerShell
I wrote a script that will read all the folder tree and then export it to csv file
This script have 4 Parameters
.PARAMETER $PathToScan Write the Folder Path you want to scan
.PARAMETER $PathToSaveResult
After Finish scanning the Script will save result to CSV, Please write the full path to store the result
.PARAMETER $IncludeInheritedFolder
Whether or not to include Inherited Objects, Accpted values $True or $False
.PARAMETER $SysBuiltin
Whether to include System account "NT Authority and Builtin" accounts, Accpted values $True or $False
To use the Script:
GetACL.ps1 -PathToScan C:\FolderToScan -PathToSaveResult C:\MyOutput.csv -IncludeInheritedFolder $TRUE or $FALSE -SysBuiltin $TRUE or $FALSE
Always make sure you are running the lastest version of PowerShell and .Net Framework
param ( [Parameter(Mandatory = $true, HelpMessage = 'Write the Folder Path you want to scan')] [ValidateNotNullOrEmpty()] [string] $PathToScan, [Parameter(Mandatory = $true, HelpMessage = 'After Finish scanning the Script will save result to CSV, Please write the full path to store the result')] [ValidateNotNullOrEmpty()] [string] $PathToSaveResult, [Parameter(Mandatory = $true, HelpMessage = 'Whether or not to include Inherited Objects, Accpted values $True or $False ')] [ValidateNotNullOrEmpty()] [bool] $IncludeInheritedFolder, [Parameter(Mandatory = $true, HelpMessage = 'Whether to include System account "NT Authority and Builtin" accounts, Accpted values $True or $False')] [ValidateNotNullOrEmpty()] [bool] $SysBuiltin ) $Folderslist = Get-ChildItem $PathToScan -Recurse -Directory #Read all the folder details with the subtree $Myobj = New-Object -TypeName PSObject #Create an object to save the returned result Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Username -Value $null Add-Member -InputObject $Myobj -MemberType NoteProperty -Name AccessType -Value $null Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Righttype -Value $null Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Path -Value $null Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Inherited -Value $null foreach ($singleFolder in $Folderslist) #To read Each Folder Details from $Folderslist { try { $Access = Get-Acl -Path $singleFolder.PSPath | select $singleFolder.PSPath -ExpandProperty access #Read the Access property which hold the users ACL foreach ($single in $access) #As $Access are array, we need to read objects 1 by 1 and store them in $MyObj { $Myobj.Path = Convert-Path $singleFolder.PSPath If ($SysBuiltin -like "True") { $Myobj.Username = $single.IdentityReference } #If $SysBuiltin Param was $True then Include all the value in the $access.IdentityReference "IdentityReference is the user object" if (($SysBuiltin -like "False") -and (($single.IdentityReference -like "NT AUTHORITY*") -or ($single.IdentityReference -like "BUILTIN\*") -or ($single.IdentityReference -like "*CREATOR OWNER*"))) { continue } #if SysBuiltin Param was $False then do not include these users or group $Myobj.AccessType = $single.FileSystemRights #What Kind of Access IdentityReference "User / Group Have" $Myobj.Inherited = $single.IsInherited #Store the Inheritance value If ($IncludeInheritedFolder -like $true) { $Myobj.Inherited = $single.IsInherited } if (($IncludeInheritedFolder -like $false) -and ($single.IsInherited -like $true)) { continue } #If $IncludeInheritedFolder was $False, Do not parse retured result with Inherited items $Myobj.Righttype = $single.AccessControlType $Myobj.Username = $single.IdentityReference Export-Csv -InputObject $Myobj -Append -Path $PathToSaveResult -NoTypeInformation -Encoding UTF8 #Save the result to the Path as in $PathToSaveResult } } Catch #Catch Any Error and write it { Write-Host $Error[-1].Exception } }
No comments:
Post a Comment