Comparing folder ACL's

C

Cory Smith

I'm writting a powershell script to drill through our file shares to
determine exactly where an ACL changes from parent to child. It seems
to work for the most part, however, I've just discovered one problem.
The relevent part of the code is here:

$acl = Get-Acl $folder | select *
$pacl = Get-Acl $folder.psparentpath | select *

if ($acl.accesstostring -eq $pacl.accesstostring){...


The problem is that, occasionally, the ACL's will actually be the same
but ordered differently. For example:

Parent_Folder
-------------------------
Builtin\Administrators FullControl
Builtin\Users Read

Child_Folder
-------------------------
Builtin\Users Read
Builtin\Administrators FullControl

So, while the ACL is technically the same, the script sees these two
variables as being different...

Any idea's on how to do this differently?
 

My Computer

R

Rob Campbell

How about:


$acl = (Get-Acl $folder).access | sort
$pacl = (Get-Acl $folder.psparentpath).access | sort
$diff = compar-object $acl $pacl
$diff



"Cory Smith" wrote:

> I'm writting a powershell script to drill through our file shares to
> determine exactly where an ACL changes from parent to child. It seems
> to work for the most part, however, I've just discovered one problem.
> The relevent part of the code is here:
>
> $acl = Get-Acl $folder | select *
> $pacl = Get-Acl $folder.psparentpath | select *
>
> if ($acl.accesstostring -eq $pacl.accesstostring){...
>
>
> The problem is that, occasionally, the ACL's will actually be the same
> but ordered differently. For example:
>
> Parent_Folder
> -------------------------
> Builtin\Administrators FullControl
> Builtin\Users Read
>
> Child_Folder
> -------------------------
> Builtin\Users Read
> Builtin\Administrators FullControl
>
> So, while the ACL is technically the same, the script sees these two
> variables as being different...
>
> Any idea's on how to do this differently?
>
>
 

My Computer

V

Vadims Podans [MVP]

$diff = compar-object $acl $pacl
just to correct mistake: should be Compare-Object.
--
WBR, Vadims Podans
MVP: PowerShell
PowerShell blog - www.sysadmins.lv

"Rob Campbell" <[email protected]> rakstÄ«ja ziņojumÄ
"news:[email protected]"...

> How about:
>
>
> $acl = (Get-Acl $folder).access | sort
> $pacl = (Get-Acl $folder.psparentpath).access | sort
> $diff = compar-object $acl $pacl
> $diff
>
>
>
> "Cory Smith" wrote:
>

>> I'm writting a powershell script to drill through our file shares to
>> determine exactly where an ACL changes from parent to child. It seems
>> to work for the most part, however, I've just discovered one problem.
>> The relevent part of the code is here:
>>
>> $acl = Get-Acl $folder | select *
>> $pacl = Get-Acl $folder.psparentpath | select *
>>
>> if ($acl.accesstostring -eq $pacl.accesstostring){...
>>
>>
>> The problem is that, occasionally, the ACL's will actually be the same
>> but ordered differently. For example:
>>
>> Parent_Folder
>> -------------------------
>> Builtin\Administrators FullControl
>> Builtin\Users Read
>>
>> Child_Folder
>> -------------------------
>> Builtin\Users Read
>> Builtin\Administrators FullControl
>>
>> So, while the ACL is technically the same, the script sees these two
>> variables as being different...
>>
>> Any idea's on how to do this differently?
>>
>>
 

My Computer

sticky27

New Member
Try this:

Code:
Function Compare-ACL {
    [cmdletbinding()]
    Param (
        [parameter(mandatory=$True)][String]$ReferenceObject,
        [parameter(mandatory=$True)][String]$DifferenceObject
    )
    $ReferenceObjectACL = ((Get-ACL $ReferenceObject).AccessToString).Split("`n")
    $DifferenceObjectACL = ((Get-ACL $DifferenceObject).AccessToString).Split("`n")
    Compare-Object -ReferenceObject $ReferenceObjectACL -DifferenceObject $DifferenceObjectACL
}
 

My Computer

Top