split Get-acl accesstostring into manageable strings
Hi
I am trying to report on folder access rights with get-acl. I get the folder name as well as the access list without problem, however I would like to filter the accesstostring part so that i can filter out well-known accounts and present the information more clearly.
here is what i have so far:

get-childitem \\server\share\folder | Where {$_.psIsContainer -eq $true}| get-acl |select-object pschildname,accesstostring |Format-List
which returns
PSChildName : nameoffolder
AccessToString : Domain\group_RW Allow Modify, Synchronize
BUILTIN\Administrators Allow FullControl
CREATOR OWNER Allow FullControl
CVLUX\Domain Admins Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl

What i would like is to get an array from accesstostring so that i can exclude CreatorOwner, etc...

thanks in advance

bruno
November 27th, 2009 2:53pm
Lilke this?


get-childitem \\server\share\folder | Where {$_.psIsContainer -eq $true}| get-acl |select-object accesstostring |% {$_.accesstostring.split()}
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2009 3:09pm
Unfortunately split() seems to work with spaces : the result is not optimal...
I tried to use split("'r") but without much more success...

BUILTIN\Users

Allow

ReadAndExecute,

Synchronize

NT

AUTHORITY\Authenticated

Users

Allow
November 27th, 2009 3:15pm

Bruno;

To start, you can put the output into a variable, and then manipulate the data:

get-childitem \\server\share\folder | Where {$_.psIsContainer -eq $true}| get-acl |select-object pschildname,accesstostring -OutVariable acl

Now, manuiplate $acl :)

Free Windows Admin Tool Kit Click here and download it now
November 27th, 2009 3:19pm
the problem i have is to split indeed within the array. I can only always return the full accesstostring value or nothing...
I don't know on what i can split so that each line would be separated (How can I access each line of the array ?)

November 27th, 2009 3:33pm
What do you want the array to look like?
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2009 3:49pm

ok, a little progress, I used the wrong escape character on my foreign keyboard.
$a

= Get-Acl c:\boot | select-object accesstostring|% {$_.accesstostring.split("`r")}
what i get is an array of one piece with 408 characters. (seems it can't split the accesstostring property except if you send it to |format-list
What i would like - if you refer to my first post - is this

nameoffolder Domain\group_RW Allow Modify, Synchronize
nameoffolder Domain\group3_RW Allow Modify, Synchronize
nameoffolder2 Domain\group_RW Allow Modify, Synchronize
nameoffolder2 Domain\group2_RW Allow Modify, Synchronize
nameoffolder3 Domain\group_RW Allow Modify, Synchronize
nameoffolder4 Domain\group_RW Allow Modify, Synchronize

Once i have this i will have to verify membership of the groups and nested groups in second column in AD but this is ok as i've done it before. (we need this for consolidated reporting on rights on a share)
brgds

November 27th, 2009 4:09pm
Try this:

$a = get-acl c:\boot| select pschildname,accesstostring
$acls = @()
$a |% {
$b = ""|select folder,security_principal,type,rights
$b.folder = $_.pschildname
$_.accesstostring |%{
$_ -match "(.+)\s((?:Allow)|(?:Deny))\s(.+)"
$b.security_principal = $matches[1]
$b.type = $matches[2]
$b.rights = $matches[3]
$acls += $b
}
}
$acls
  • Marked as answer by brpo Saturday, November 28, 2009 11:14 AM
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2009 4:28pm
that's what i was looking for
thanks a lot for your help
bruno
November 28th, 2009 11:15am
Another option:


dir \\server\share\folder | where {$_.psiscontainer} | foreach{
$as= $_ | get-acl | select PSChildName,accesstostring
$as.accesstostring.split("`r`n") | where {$_.Permission -notlike 'CREATOR OWNER*'} | select @{n="Name";e={ $as.PSChildName}},@{n="Permission";e={$_}}
}

Free Windows Admin Tool Kit Click here and download it now
November 28th, 2009 3:50pm

Here is an example that I sometimes use :

This script list folders for x level depht,  get acl for each folder and put result on an xls .

Why open excel and fill it, because it's cool ;-) and more usable for managers

$ErrorActionPreference = "SilentlyContinue"
$a = New-Object -comobject Excel.Application 
$a.visible = $True

$b = $a.Workbooks.Add()

$intRow=1
$c = $b.Worksheets.Item(1)
$c.Cells.Item($intRow,1) = "Folder"
$c.Cells.Item($intRow,2) = "Compte/groupe"
$c.Cells.Item($intRow,3) = "Type d'Acces"
$c.Cells.Item($intRow,4) = "Droits"


$d = $c.UsedRange
$d.EntireColumn.AutoFit()|Out-Null
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True


remove-variable arrayOfPath
$depth=2
$RootFolder="\\MySRV\Folder"

for($i=0; $i -le $depth;$i++)
  {
  $arrayOfPath += ,$RootFolder
  $RootFolder=$RootFolder+"\*"
  }
$arrayOfPath |get-childitem |%{get-acl $_.fullname}|
  %{
      $intRow=$intRow+1  
      $c.Cells.Item($intRow, 1)=$_.path.tostring().replace("Microsoft.PowerShell.Core\FileSystem::","")
      $droit=$_.access
      $droit|%{$c.Cells.Item($intRow, 2)=$_.IdentityReference.tostring();$c.Cells.Item($intRow, 3)=$_.AccessControlType.tostring();$c.Cells.Item($intRow, 4)=$_.FileSystemRights.tostring();$intRow=$intRow+1}}
                                                    
$d.EntireColumn.AutoFit()|Out-Null


December 20th, 2013 3:37pm

Very good - will adapt some of it. Thanks for sharing.

@Exporting to excel automatically is a great detail!

Free Windows Admin Tool Kit Click here and download it now
July 1st, 2015 10:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics