Need help with powershell



  • I am looking for a way to write a powershell script that will return result for all folder that contain users or groups that are not inherited. I tried to run the script for non-inherited folder, but some folder are inherited...while have users/groups that were added later on without disabling the inheritance of the folder.

    This is the script I found:
    DIR "\path\abc" -directory -recurse | GET-ACL | where {$_.Access.IsInherited -eq $false}|Select-Object PSPATH |Export-Csv "c:\export.csv" -NoTypeInformation

    Problem with this script is it read the folder inheritance, and not the users/groups. What is the powershell cmdlet to target users/groups without inheritance?

    Below is an example of the folder in question.
    ng58DDi.png


  • Service Provider

    Tagged with PowerShell. Surprised no one has jumped on this yet.



  • The Script you have gives you the path with ANY permissions that aren't inherited. Using the Get-ACL, it looks at anything that has permissions assigned to the folder. So it's looking in there and telling you "This path has somebody with permissions that are not inherited."

    I take it the question you are wanting to answer is: WHO has permissions that are not inherited?



  • I could benefit from this. A simple ACL auditing script could come in handy.



  • GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

    <#
    .SYNOPSIS
      File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.
    
    .DESCRIPTION
       Date UpdatedBy Details
       08/10/2017 BW  Initial coding.
    #>
    
    $path="C:\TEMP"
    $outFile="myFolderInheritance.csv"
    
    $nonInherited=new-object System.Collections.ArrayList
    
    $folders=dir $path -Directory -recurse|get-acl|
    select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
    @{Label='User';Expression={$_.Access.identityReference}},
    @{Label='IsInherited';Expression={$_.Access.IsInherited}}|
    where {$_.IsInherited -eq $false}
    
    foreach ($item in $folders) {
     $pass=0
     write-host "Checking folder $($item.path)"
     foreach ($user in $item.user) {
      #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
      $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
      $pass=$pass++
     }
    }
    
    $nonInherited|out-file -FilePath $outFile
    
    
    write-host "Done."
    


  • The Above script outputs a csv file (named myFolderInheritance.csv) that looks something like the following when run against C:\Program Files... (this is just a snippet)

    C:\Program Files\Internet Explorer, CREATOR OWNER,False
    C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False
    C:\Program Files\Internet Explorer, NT AUTHORITY\SYSTEM,False
    C:\Program Files\Internet Explorer, BUILTIN\Administrators,False
    C:\Program Files\Internet Explorer, BUILTIN\Administrators,False
    C:\Program Files\Internet Explorer, BUILTIN\Users,False
    C:\Program Files\Internet Explorer, BUILTIN\Users,False
    C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False
    C:\Program Files\Internet Explorer, NT SERVICE\TrustedInstaller,False
    C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False
    C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES,False
    C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False
    C:\Program Files\Internet Explorer, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES,False
    


  • @scottalanmiller said in Need help with powershell:

    Tagged with PowerShell. Surprised no one has jumped on this yet.

    I did not have time yesterday to research an answer. 🙂



  • @dafyre said in Need help with powershell:

    GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

    <#
    .SYNOPSIS
      File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.
    
    .DESCRIPTION
       Date UpdatedBy Details
       08/10/2017 BW  Initial coding.
    #>
    
    $path="C:\TEMP"
    $outFile="myFolderInheritance.csv"
    
    $nonInherited=new-object System.Collections.ArrayList
    
    $folders=dir $path -Directory -recurse|get-acl|
    select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
    @{Label='User';Expression={$_.Access.identityReference}},
    @{Label='IsInherited';Expression={$_.Access.IsInherited}}|
    where {$_.IsInherited -eq $false}
    
    foreach ($item in $folders) {
     $pass=0
     write-host "Checking folder $($item.path)"
     foreach ($user in $item.user) {
      #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
      $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
      $pass=$pass++
     }
    }
    
    $nonInherited|out-file -FilePath $outFile
    
    
    write-host "Done."
    

    These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
    Thanks!



  • @stess said in Need help with powershell:

    @dafyre said in Need help with powershell:

    GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

    <#
    .SYNOPSIS
      File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.
    
    .DESCRIPTION
       Date UpdatedBy Details
       08/10/2017 BW  Initial coding.
    #>
    
    $path="C:\TEMP"
    $outFile="myFolderInheritance.csv"
    
    $nonInherited=new-object System.Collections.ArrayList
    
    $folders=dir $path -Directory -recurse|get-acl|
    select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
    @{Label='User';Expression={$_.Access.identityReference}},
    @{Label='IsInherited';Expression={$_.Access.IsInherited}}|
    where {$_.IsInherited -eq $false}
    
    foreach ($item in $folders) {
     $pass=0
     write-host "Checking folder $($item.path)"
     foreach ($user in $item.user) {
      #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
      $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
      $pass=$pass++
     }
    }
    
    $nonInherited|out-file -FilePath $outFile
    
    
    write-host "Done."
    

    These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
    Thanks!

    How are you wanting the result to look?



  • @dafyre said in Need help with powershell:

    @stess said in Need help with powershell:

    @dafyre said in Need help with powershell:

    GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

    <#
    .SYNOPSIS
      File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.
    
    .DESCRIPTION
       Date UpdatedBy Details
       08/10/2017 BW  Initial coding.
    #>
    
    $path="C:\TEMP"
    $outFile="myFolderInheritance.csv"
    
    $nonInherited=new-object System.Collections.ArrayList
    
    $folders=dir $path -Directory -recurse|get-acl|
    select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
    @{Label='User';Expression={$_.Access.identityReference}},
    @{Label='IsInherited';Expression={$_.Access.IsInherited}}|
    where {$_.IsInherited -eq $false}
    
    foreach ($item in $folders) {
     $pass=0
     write-host "Checking folder $($item.path)"
     foreach ($user in $item.user) {
      #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
      $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
      $pass=$pass++
     }
    }
    
    $nonInherited|out-file -FilePath $outFile
    
    
    write-host "Done."
    

    These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
    Thanks!

    How are you wanting the result to look?

    The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.

    I am looking into this post right now as it was brought up in Spiceworks.
    It shows the result I am hoping for where non-inheritance = false and inherited = true.



  • @stess said in Need help with powershell:

    @dafyre said in Need help with powershell:

    @stess said in Need help with powershell:

    @dafyre said in Need help with powershell:

    GitHub link: https://github.com/dafyre/PoweshellScripts/blob/master/folderInheritance.ps1

    <#
    .SYNOPSIS
      File / Folder Auditing script to determine which users have permissions that are *NOT* inherited.
    
    .DESCRIPTION
       Date UpdatedBy Details
       08/10/2017 BW  Initial coding.
    #>
    
    $path="C:\TEMP"
    $outFile="myFolderInheritance.csv"
    
    $nonInherited=new-object System.Collections.ArrayList
    
    $folders=dir $path -Directory -recurse|get-acl|
    select @{Label='Path';Expression={$_.PSPath.replace("Microsoft.PowerShell.Core\FileSystem::","")}},
    @{Label='User';Expression={$_.Access.identityReference}},
    @{Label='IsInherited';Expression={$_.Access.IsInherited}}|
    where {$_.IsInherited -eq $false}
    
    foreach ($item in $folders) {
     $pass=0
     write-host "Checking folder $($item.path)"
     foreach ($user in $item.user) {
      #$x=$nonInherited "$($item.Path), $($user),$($item.IsInherited[$pass])"
      $x=$noninherited.add("$($item.Path), $($user),$($item.IsInherited[$pass])")
      $pass=$pass++
     }
    }
    
    $nonInherited|out-file -FilePath $outFile
    
    
    write-host "Done."
    

    These works to certain extend of what I am looking for, but it needs some tweaking to work the way I am expecting the result.
    Thanks!

    How are you wanting the result to look?

    The script doesn't appear to be showing false on non-inheritance. There either True or False for every member of the folder regardless of their inheritance.

    I am looking into this post right now as it was brought up in Spiceworks.
    It shows the result I am hoping for where non-inheritance = false and inherited = true.

    Ah, okay. I thought you wanted to only see the ones where Inherited=False...

    So you want to see everything, and whether or not it is inherited?

    Edit: Also for the CSV File generated, the layout is

    Folder, User, Is Inherited 
    

    Is Inhertied is True or False.