Get-Acl without inheritance (Network Steve Forum)

Get-Acl without inheritance

Hello,

When i type the following line in PS "Get-ChildItem I:\ -recurse -exclude *.* | Get-Acl" It lists all the directories and their security rights. I need to be able to only list the folders which have the security set on them and not inherited by parent folder.

Is this possible?

What I'm aiming for is a script to list all parent-rights in our file-structure. Perhaps this is possible to do some other way?

Best Regards,

Joans Bson

January 23rd, 2009 4:34pm

I think you can get this by looking at the SDDL value for a folder. There may be easier ways, but I think this will work for you:

1	$no_inh=get-acl.\|foreach{$_.sddl}
2	gci.-rec\|where{$_.psiscontainer}\|foreach{if(($_\|get-acl\|foreach{$_.sddl})-eq$no_inh){$_.fullname}}

On line 1, I move to a directory where I know inheritance has been removed. I save the SDDL string to a variable.

On line 2, I get the ACLs and SDDL for every directory, then compare the SDDL against my variable, if the SDDLs match, I have a directory without inheritance, and I print out the full directory name.

[EDIT: I reread your post. I think I've missed the point. Please provide feedback.]

Proposed as answer by Marco ShawModerator Friday, January 23, 2009 7:21 PM
Edited by Marco ShawModerator Saturday, January 24, 2009 1:39 AM feedback needed
Unproposed as answer by Mervyn ZhangModerator Monday, January 26, 2009 6:38 AM
Proposed as answer by Mervyn ZhangModerator Monday, January 26, 2009 6:38 AM
Marked as answer by Mervyn ZhangModerator Thursday, January 29, 2009 3:43 AM

Free Windows Admin Tool Kit Click here and download it now

January 23rd, 2009 7:20pm

The line of code below will show you all file names that have explicit security set.

get-childitem -recurse | where-object {$_.mode -match "d"} | %{$file=$_;get-acl $($_.FullName)} | %{$_.GetAccessRules($True,$False,[Security.Principal.SecurityIdentifier]) | %{write-host "$($file.FullName) has explicit security set"}}

Proposed as answer by dmdamen Sunday, February 01, 2009 6:39 PM

February 1st, 2009 6:38pm

I know this thread is quite old, but here is how I did this. Keep in mind I am quite new to powershell, so I like to spell things out. I would be interested in techniques to speed this up. if ($args.length -ne 2) { "This script takes exactly two arguments, in this order: file for output, a path to analyze" } else { $path = $args[1] $outPutFile = $args[0] $startDate = Get-Date #Build information for the header of the output file. `r`n is a carrage return/line feed. $header = "Start: " + $startDate + "`r`n" + "Output file: " + $outPutFile + "`r`n" + "Path analyzed: " + $path + "`r`n" out-file -encoding ASCII -filePath $outPutFile -append -InputObject $header # Get all directories, not files, get their ACLs, and stuff them into a variable ($dirs). $dirs = Get-ChildItem $path -Recurse -Force | ? { $_.GetType() -like 'System.IO.DirectoryInfo'} | get-ACL Foreach ($dir in $dirs) { Foreach ($Access in $dir.Access) { $Inherited = [string]$Access.IsInherited if ($Inherited -eq "False") { $pathPieces = $dir.Path.split(":") $output = $PathPieces[2] + ":" + $pathPieces[3] + ", " + $Access.IdentityReference + ", " + $Access.FileSystemRights out-file -encoding ASCII -filePath $outPutFile -append -InputObject $output } } } $endDate = Get-Date $elapsedTime = $endDate - $startDate $footer = "`r`nRun completed at: " + $endDate + "`r`n" + "Elapsed Time:`r`n" + $elapsedTime + "`r`n" out-file -encoding ASCII -filePath $outPutFile -append -InputObject $footer } -Scott
EDIT - shoot, sorry for the crappy word wrapping.

Free Windows Admin Tool Kit Click here and download it now

June 19th, 2009 6:14pm

Hi Scott,

I can't seem to get your example to work. I'm really no powershell programmer and I think I have the wrapping all wrong. Since powershell uses CRLF's to seperate commands (against say Bash) when it's all on one big line it won't run.

Any help?

October 15th, 2009 2:34pm

Replying to myself to enable e-mail notification..

Free Windows Admin Tool Kit Click here and download it now

October 15th, 2009 2:35pm

I'll fix up the code in the next 24 hours and post it as a script, and that should help...

October 15th, 2009 2:51pm

I think this is fixed up properly. I haven't tested it yet:

if ($args.length -ne 2) { 
  "This script takes exactly two arguments, in this order: file for output, a path to analyze" 
} 
else { 
  $path = $args[1] 
  $outPutFile = $args[0] 
  $startDate = Get-Date 
  #Build information for the header of the output file. `r`n is a carrage return/line feed. 
  $header = "Start: " + $startDate + "`r`n" + "Output file: " + $outPutFile + "`r`n" + "Path analyzed: " + $path + "`r`n" 
  out-file -encoding ASCII -filePath $outPutFile -append -InputObject $header 
  # Get all directories, not files, get their ACLs, and stuff them into a variable ($dirs). 
  $dirs = Get-ChildItem $path -Recurse -Force | ? { $_.GetType() -like 'System.IO.DirectoryInfo'} | get-ACL 
  Foreach ($dir in $dirs) { 
    Foreach ($Access in $dir.Access) { 
      $Inherited = [string]$Access.IsInherited 
      if ($Inherited -eq "False") { 
        $pathPieces = $dir.Path.split(":") 
        $output = $PathPieces[2] + ":" + $pathPieces[3] + ", " + $Access.IdentityReference + ", " + $Access.FileSystemRights 
        out-file -encoding ASCII -filePath $outPutFile -append -InputObject $output 
      } 
    } 
  } 
  $endDate = Get-Date 
  $elapsedTime = $endDate - $startDate 
  $footer = "`r`nRun completed at: " + $endDate + "`r`n" + "Elapsed Time:`r`n" + $elapsedTime + "`r`n" 
  out-file -encoding ASCII -filePath $outPutFile -append -InputObject $footer 
}

Free Windows Admin Tool Kit Click here and download it now

October 16th, 2009 10:07am

Thanks a lot for posting this. This script did exactly what I wanted to achieve and in the process also gave me more insight in the amazing functionalities of Powershell.

December 16th, 2009 9:48am

I want to add acl information to output, can you help me to do it? I'm newby in powershell, and I cant to understand how to do it.. =(

Free Windows Admin Tool Kit Click here and download it now

July 19th, 2010 1:07pm

Hi Mark,

I'm using your script but getting an error when the script try to get the ACL of a more than 260 characters name length file. How could I leave the script running and not consider that folder?.

Tahnk you

March 14th, 2011 11:46am

Thanks a lot for your post. I took inspiration of your code and I produced a similar script which is traversing folders with a depth first algorithm. The script can be found on http://carrarini.blogspot.com/2011/08/powershell-script-for-dumping-access.html

kind regards

Carrarini Daniel

Free Windows Admin Tool Kit Click here and download it now

August 5th, 2011 2:32pm

I can see the need for $($file.FullName) in the second instance but I am missing the reason why it is written this way after get-act?

I tried to break it by using the following and all 3 give the same results.

($file.FullName)

$file.FullName

Trying to understand what $( ) syntax means exactly.

March 16th, 2015 4:04pm