Filter Get-ACL Output - List only Folders with specific Users like *xyz*

StackOverflow https://stackoverflow.com/questions/23673723

Question

i wrote 2 functions (not directly from me), which create me a file with Folder ACL´s. The First function creates a folder List with a max. depth parameter The Second function creates an Output file with the ACL for every folder based on the output of the first function

Code or Syntax enhancements / bugrixe are welcome. Sorry for my bad english!

Output Example:

Path           : D:\pub\
AccessToString : 
NT-AUTORITÄT\Authentifizierte Benutzer Allow ReadAndExecute, Synchronize
Domain\Group_Sales_RW Allow  Modify, Synchronize
Domain\User4711 Allow  Modify, Synchronize
NT-AUTORITÄT\SYSTEM Allow  FullControl
VORDEFINIERT\Administratoren Allow  FullControl
Domain\Administrator Allow  FullControl

The 2 functions:

function ListSubDir  {
    <#
    .Synopsis
    Lists Subfolders
    .Description
    Lists Subfolders
    .Example
    ListSubDir -Searchpath "D:" -Depth "2"
    #>
 param ( $Searchpath=$env:USERPROFILE,
         $Depth=2 )
        if ($Depth -gt 0) {
            GCI $Searchpath -ea SilentlyContinue |Where-Object {$_.psiscontainer} | % { ListSubDir -Searchpath $_.fullname -Depth ($Depth-1) 
            return $_ } 
            }

    }

function Get-DirectoryRights {
<#
.Synopsis
.Description
Exports Direcory ACLs to a .txt File
.Example
Foreach  ($Path in (GCI "D:\Users" -recurse -ea SilentlyContinue | where {$_.psiscontainer})) {get-directoryrights -Searchpath $Path.fullname -output "d:\ACL-Log.txt"}
.Example

#>

param   ( $Searchpath="$ENV:Userprofile",
          $Output="$Env:Temp\AusgabeACL.txt",
          $XMLTemp="$env:temp\acldata.xml")

$Folder= $Searchpath | Get-ACL -ea SilentlyContinue

$Folder| Select @{Name=”Path”;Expression={$_.PSPath.Substring($_.PSPath.IndexOf(“:”)+2) }},Owner,Access,AccessToString,@{Name=”Reported”;Expression={(Get-Date).ToShortDateString()}}, @{Name=”Computername”;Expression={$env:computername}} | Export-Clixml $XMLTemp

$acl = Import-Clixml $XMLTemp

$acl | where {$_.access } | format-list path,AccessToString | out-file $Output -append
}

The Current function call:

$Folderlist= ListSubDir -Searchpath d:\pub -Depth 2
Get-directoryrights -Searchpath $Folderlist.fullname -Output D:\ausgabe.txt

To simplify the Fileserver Administration we want to eliminate all User-specific ACls and replace them through with Group-ACLs. The current Output looks fine, but it is possible, to list only the folders where a specific User/ or OU Member exists?

For Example: With a third function, i want to list the Usernames, which begin with the character "w01" (W01 stands for site01 -> our headquarter) and pipe them to the other functions to get only the folders that have given rights to the users like:

Path           : D:\pub\
AccessToString : 
Domain\W01Username Allow  Modify, Synchronize

The third function:

function GetADUser {
<#
.Description
List AD User Details
.Example
getaduser -SearchString "w01*"
#>
param ( $Searchbase = "OU=_Benutzer,DC=Vogler-GMBH,DC=com",
        $SearchString = "*"
      )
get-aduser -Filter 'SamAccountName -like $Searchstring -or Givenname -like $Searchstring' -SearchBase $Searchbase | select *
}
Was it helpful?

Solution

In general you should avoid having a function output to a file. Have it output an object, and then you can format and output that object to a file if you'd like. This situation is a perfect example of that. Altering your script a little and having it output to objects. I also added just a little bit to filter for a user as well. Check this out:

function Get-DirectoryRights {
<#
.Synopsis
.Description
Exports Direcory ACLs (optionally filters for a user name)
.Example
Foreach  ($Path in (GCI "D:\Users" -recurse -ea SilentlyContinue | where {$_.psiscontainer})) {get-directoryrights -Searchpath $Path.fullname -UserFilter "JDoe"}
.Example

#>

param   ( $Searchpath="$ENV:Userprofile",
          $UserFilter )
if($UserFilter){
    $Searchpath | Get-ACL -ea SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match $UserFilter} | Select @{Name=”Path”;Expression={$_.PSPath.Substring($_.PSPath.IndexOf(“:”)+2) }},Owner,Access,AccessToString,@{Name=”Reported”;Expression={(Get-Date).ToShortDateString()}}, @{Name=”Computername”;Expression={$env:computername}}
}else{
    $Searchpath | Get-ACL -ea SilentlyContinue | Where {$_.Access} | Select @{Name=”Path”;Expression={$_.PSPath.Substring($_.PSPath.IndexOf(“:”)+2) }},Owner,Access,AccessToString,@{Name=”Reported”;Expression={(Get-Date).ToShortDateString()}}, @{Name=”Computername”;Expression={$env:computername}}
}
}

Then you would just run it very much like you were, but you would format and output it outside the function.

$Folderlist= ListSubDir -Searchpath d:\pub -Depth 2
Get-directoryrights -Searchpath $Folderlist.fullname |FL Path,AccessToString | Out-File D:\ausgabe.txt

If you want to filter for domain users that start with W01 you would do something like:

Get-DirectoryRights -Searchpath $Folderlist.fullname -UserFilter "YourDomainName\W01" |FL Path,AccessToString | Out-File D:\ausgabe.txt
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top