问题
In PowerShell when using Get-Acl how can I show all members belonging to a group instead of the group itself?
So:
Get-ChildItem C:\ | where-object {($_.PsIsContainer)} | Get-Acl | select path -ExpandProperty Access
Shows something like this:
Path : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
Path : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
Instead I want it to list all users belonging to Administrators/Users with their permission for each folder and discard the group.
Also how can I add Convert-Path to the select path statement so that path displayed is only C:\Test?
Thanks!
回答1:
I wasn't able to solve it with linked post and/or the PowerShell Access Control module, still only got groups. So in the end I was able to get the info I wanted with a combination of different other helpful posts like:
PowerShell script to return members of multiple security groups
List user details from Username
Expanding on my original question and including the final result I wanted, this is how I did it. It's not beautiful (even repeats small portion of code) and big parts could probably be put in one line, but for my own readability alone it kinda makes sense this way. Also I omitted the discard of group, since I found the information useful.
$queryPath = "C:\Test"
$targetFile = "C:\Test.csv"
$Table = @()
$Record = [ordered]@{
"Path" = ""
"IdentityReference" = ""
"Class" = ""
"GrpMember" = ""
}
$foldersToQuery = Get-ChildItem $queryPath | Where {$_.PSIsContainer} | select -expandproperty FullName
foreach ($folder in $foldersToQuery) {
$Record.Path = $folder
$permissions = Get-Acl $folder | select -expandproperty Access
foreach ($permission in $permissions) {
[string]$id = $permission.IdentityReference
$SamAccountName = $id.Split('\')[1]
$ADObject = Get-ADObject -Filter ('SamAccountName -eq "{0}"' -f $SamAccountName) }
$Record.IdentityReference = $permission.IdentityReference.ToString()
switch ($ADObject.ObjectClass) {
'user' {
$Record.Class = $ADObject.ObjectClass
$Record.GrpMember = ""
$objRecord = New-Object PSObject -property $Record
$Table += $objrecord
}
'group' {
$Record.Class = $ADObject.ObjectClass
$members = Get-ADGroupMember $SamAccountName }
foreach ($member in $members) {
$Record.GrpMember = $member.name
$objRecord = New-Object PSObject -property $Record
$Table += $objrecord
}
}
}
}
}
$Table | export-csv $targetFile -NoTypeInformation -Encoding UTF8
Returning a table like this when formatted
来源:https://stackoverflow.com/questions/52150963/powershell-get-acl-get-members-instead-of-group