Team,

I have made some head way, but what I need to know is how do I call the function "MyADGroups" in my script. not sure if the below script is correct, but what it needs to do is check who has access to the parent folder and all the children folders only, if its inherited I do not want to know, which the script does :). but if it is a Group it needs to expand the group and show me the users only.

I have done a function but I am not sure if it is correct and it will output the data I need.

 $exclude = @(
	'CREATOR OWNER'
	'NT AUTHORITY\SYSTEM'
	'BUILTIN\Administrators'
	'HTBPLC\Domain Admins'
)
Function Get-MYADGroups($GroupsAD){
	Return Get-ADGroupMember -Identity $GroupsAD -Recursive | Where {objectClass -eq "User"}
 
}
# Get-ADGroupMember -Identity  -Recursive | Get-ADUser -Property DisplayName | Select Name,ObjectClass,DisplayName?

$credentials = Get-Credential
Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  % {

$RootPath = "\\XYZ.net\users\GP\DEPT\IT\"

$folders = [array](Get-Item -Path $RootPath)
$folders += Get-ChildItem -Path $RootPath -Recurse -Directory

$acls = foreach ($Folder in $Folders){
	get-acl $Folder.fullname | 
	Select-Object -ExpandProperty Access |
	Where-Object {
		-not $_.IsInherited -and
		$exclude -notcontains $_.IdentityReference 
	} |
	Select-Object -Property *,@{
		'Name' = 'Folder'
		'Expression' = {
			$Folder.FullName
	}}
}}

$acls | Export-Csv -NoTypeInformation -Path C:\NTFS\DEPARTMENTS1.csv

@DustinB3403 @dafyre can you maybe help me out on this one, should be a quick fix, just need to know if I am on the right tracks.

Thanks

thanks @dafyre looks good, but I have been doing a bit of reading online and I think I will change the output to make it output the data as rows with each user named with what member they are part of next to there name. two columns. in other words the output would be "Transpose" and then I would use a pivot table to do the rest.

still working on it, but if anyone knows of an easy way please do share

again thank @dafyre

you probably right, @Dashrender unfortunately, this would be coming out of my own pocket and not the companies which is why I cannot go ahead.

Thanks again for all the input team, been a brilliant help. until the next time

any ideas Team?

Thanks

i understand the code but i am far from a scripter. i understand the logic but would not be able to put this as a powershell.

if anyone thanks to @Dashrender and of course @DustinB3403 can make this happen, you will make me a happy guy :).

that would be ideal, if this is possible please let me know how @Dashrender

@Dashrender that is exactly what I need. is it possible to do?

Thanks @DustinB3403 that is exactly what I am trying to do, if anyone @DustinB3403 has tried and said it cannot be done, if it can be done and someone can shed some light I would be very grateful.

Thanks

correct, the user, and all the groups they are a member of in alphabetical order, so they line up with the same groups for the next user if this is the case, if not it would leave a blank space so we can filter only with the same group.

I swear there must be an easier way to explain this lol

again thank you

alphabetically would be ideal, but group headers would work too.

@DustinB3403 the script works fine, I have separated using excel, but the groups do not match up. I have Group 1 in cell 5 and I have the same Group in cell 23 so the filter does not see that. its very hard to explain, some people have more groups and some have less, the output cannot match them to be in the same column.

Not really cost related, think they want me to go through all these issues cus they hate me lol.

think I may have explained it incorrectly ...sorry

this script needs to only show what permissions every user has, but the permissions need to be outputted in a easy filter way. having all the same Group memberships in the same like the example. when someone filters for Group1 all group1 appears in one column.

sorry I explained it wrong. hope this makes better sense.

really appreciated the help @dafyre. unfortunately 3rd party tools are a no no, already asked that question and been shot down :(.

This is a single script and just need help cleaning the CSV output into a more easily filtered search. For example, the below is how it comes out,

TEST.USER1 HR TRUE Blank Space Group 1 Group 2 Group 3
TEST.USER HR TRUE Group 1 Group 2 Group 4 Group 2

I would like it to appear like below, all matching the above row where possible, if it does not match put a blank space move to the next cell

TEST.USER1 HR TRUE Blank Space Group 2 Group 4 Group 3
TEST.USER HR TRUE Group 1 Group 2 Group 4 Blank space

only folder level, but the extract of the permissions need to match up. does that make sense when I say "Match up". not really sure how to explain it. all the same permission need to be in the same column, AD seems to just throw groups all over the show when extracted. I need them to all sync up in the CSV so its easy to filter for certain access and who has it. hope that makes sense thanks for the reply @dafyre

this is the code I have got so far, but the output for all the groups is mixed up, can the CSV be tweaked a bit? does anyone know?

# Imports Active Directory information 
Import-Module Activedirectory
$credentials = Get-Credential
# Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
  New-Object PSObject -Property  @{
	UserName = $_.DisplayName 
	EmailAddress = $_.EmailAddress
	DistinguishedName = $_.DistinguishedName
	Enabled = $_.Enabled
# Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
	}
# The export path is variable change to desired location on domain controller or end user computer. 
} | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv C:\users\Desktop\AD1.csv –NTI

any help would be really appreciated

the code I already have is this

$exclude = @(
	'CREATOR OWNER'
	'NT AUTHORITY\SYSTEM'
	'BUILTIN\Administrators'
	'HTBPLC\Domain Admins'  
)

$RootPath = "S:\XYZ\DEPARTMENTS"

$folders = [array](Get-Item -Path $RootPath)
$folders += Get-ChildItem -Path $RootPath -Recurse -Directory

$acls = foreach ($Folder in $Folders){
	get-acl $Folder.fullname | 
	Select-Object -ExpandProperty Access |
	Where-Object {
		-not $_.IsInherited -and
		$exclude -notcontains $_.IdentityReference
	} |
	Select-Object -Property *,@{
		'Name' = 'Folder'
		'Expression' = {
			$Folder.FullName
	}}
}

$acls | Export-Csv -NoTypeInformation -Path C:\NTFS\DEPARTMENTS1.csv

I need to implement the group extracting from this piece of code and add it to the above.

Import-Module Activedirectory
$credentials = Get-Credential
Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
  New-Object PSObject -Property  @{
	UserName = $_.DisplayName 
	EmailAddress = $_.EmailAddress
	DistinguishedName = $_.DistinguishedName
	Enabled = $_.Enabled
	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
	}
} | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv c:\temp\User-Permissions1.csv –NTI

Any ideas

I would need to incorporate the top script into the bottom script. Get-ADGroupMember is part of the script which only expands the groups, which works fine, need that to be added into the 2nd script which only outputs groups and other users, rather then all users.

thanks for the link @DustinB3403, I have tried this, but the output was not what the Auditors wanted, hence me reaching out to various teams/forums for assistance. the Code was not able to give me user level, it only provided Groups without expanding the groups.

@DustinB3403 how did you say to add a piece of code?

hi All, new to this forum :). thanks for the shout out @scottalanmiller. hope the team can help me with my topics, not really a programmer and have been tasked with a programming task