Finding folders where ACL Inheritance is off

K

ksinc11

I am very new to Powershell. I have found a lot of stuff on using the $acl =
get-acl command and $acl.AreAccessRulesProtected to determine if inheritance
is on or off. I am trying to write a script that will recurse a directory
tree and look at inheritanceon the subfolders. If inheritance is ON ($False)
then ignore the subfolder, if inheritance is OFF($True) then output (append),
to a csv, the complete path (c:\Folder\SubFolder), Owner, & all
Users/Groups with Permission Levels.

I don't want to change the inheritance, just output the information if it is
OFF.

Thanks for the Help.

Kevin
 

My Computer

K

ksinc11

I have tried using the following commands. (bear in mind I am very new to PS)
Hopefully someone can point me in the right direction.

get-childitem c:\scripts -recurse|where-object{$_.psiscontainer} |
foreach-object{$acl=get-acl} if (!$acl.AreAccessRulesProtected){get-acl}

I get the following error.

ForEach-Object : Cannot bind parameter 'Process'. Cannot convert the "if"
value
of type "System.String" to type "System.Management.Automation.ScriptBlock".
At line:1 char:82
+ get-childitem c:\scripts -recurse|where-object{$_.psiscontainer}|
foreach-ob
ject <<<< {$acl=get-acl} if (!$acl.AreAccessRulesProtected){get-acl}
+ CategoryInfo : InvalidArgument: (:) [ForEach-Object], Parameter
BindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh
ell.Commands.ForEachObjectCommand

The following generates a list of the subfolders.
get-childitem c:\scripts -recurse|where-object{$_.psiscontainer}

The following just brings up a new prompt
get-childitem c:\scripts -recurse|where-object{$_.psiscontainer} |
foreach-object{$acl=get-acl} if (!$acl.AreAccessRulesProtected)

Again, thanks for the help.

Kevin
 

My Computer

R

Robert Robelo

Try this:

Get-ChildItem c:\ | ? {$_.PSIsContainer} | ? {
Get-Acl $_.FullName | % {
$_.GetAccessRules($true, $true, 'System.Security.Principal.NTAccount') |
? {!$_.IsInherited}
}
}

Get-ChildItem c:\ | ? {$_.PSIsContainer} |
? {!(Get-Acl $_.FullName).AreAccessRulesProtected}

# - - - - - - - - - - - - - #
<#
You can creaate filters that'll save you some typing if you do this
often. Save them in your $Profile to have them available in every session.
#>

filter Dirs {
if ($_.PSIsContainer) {$_}
}

filter IsInherited {
param([Switch]$not)
$acl = Get-Acl $_.fullname
$result = $acl.GetAccessRules($true,$true,'Security.Principal.NTAccount') |
Where-Object {if ($Not) {-not $_.IsInherited} else {$_.IsInherited}}
if ($result) {$_}
}

filter AccessRulesProtected {
param([Switch]$Not)
$protected = (Get-Acl $_.FullName).AreAccessRulesProtected
$result = if ($Not) {-not $protected} else {$protected}
if ($result) {$_}
}

# ...and use them like this:
Get-ChildItem c:\ | Dirs | AccessRulesProtected

Get-ChildItem c:\ | Dirs | AccessRulesProtected -not

Get-ChildItem c:\ | Dirs | IsInherited -not

Get-ChildItem c:\ | Dirs | IsInherited

--
Robert
 

My Computer

K

ksinc11

Robert,

Thank you for the help, this first block of code works well, and outputs a
list folders where inheritance is turned off.

Now I just need to get the script toalso output the "Owner" information &
the "Security Permissions" (users, groups, & access levels) that are applied
to these folders.

Thanks again for the help.

Kevin
 

My Computer

K

ksinc11

When I run the following, I get the some of the ACL information.
Unfortunately the AccessToString field only shows the first user/group in the
ACL, and not all of the.

PS C:\scripts> Get-ChildItem c:\scripts -recurse | ? {$_.PSIsContainer} | ?
{Get-Acl $_.FullName | % {$_.GetAccessRules($true, $true,
'System.Security.Principal.NTAccount') | ? {!$_.IsInherited}}} | get-acl |
export-csv output.csv -noType

Any suggestions?

Thanks.

Kevin
 

My Computer

K

ksinc11

Nevermind, it helps to expand the cells in Excel, all the users and groups
were there.

Thank you for all the help.

Kevin
 

My Computer

Top