1. 技术文章
  2. PowerShell Get-ACL with SamAccountName values

PowerShell Get-ACL with SamAccountName values

半腔热情 提交于 2021-02-11 12:40:24

问题


I'm trying to collect folder permissions to a csv file with Powershell. My problem is that I'd need the results to contain both the SamAccountName and FileSystemRights.

I tried two different method. The first I came up with was a simple approach that gave me IdentityReference and FileSystemRights, but I couldn't find any working method that can get SamAccountName from IdentityReference. The second one I found on the internet was much more sophisticated. It collects all the accounts that has access to the folder, but it doesn't show FileSystemRights and I couldn't figure out how to change it to do so.

My own solution

(Get-Acl "FolderPath").Access | Select-Object IdentityReference, FileSystemRights

The solution I found

Get-Acl $UncPath | Select-Object -ExpandProperty Access | Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } | Select-Object -ExpandProperty IdentityReference | ForEach-Object { $_.Translate('System.Security.Principal.SecurityIdentifier').Value } | Get-ADGroup -ErrorAction SilentlyContinue | get-adgroupmember | select-object SamAccountName | Format-Table | Out-String

Is there any working method that can get me a result where I can see SamAccountName and FileSystemRights?

Thank you in advance.


回答1:


$UncPath = 'E:\temp\test'

$all = Get-Acl $UncPath |
            Select -ExpandProperty Access |
            Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } |
            Select-Object @{ Name = 'Identity'; Expression = { $_.IdentityReference -replace "\w+\\(.+)", '$1' } }, FileSystemRights

# Here you can get Users ACL
$distinct_users = $all | 
            Select-Object Identity, @{ Name = 'sAMAccountName'; Expression = { (Get-ADUser -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
            Where-Object sAMAccountName -ne $null
# Here we will expand group acls
 $groups = $all | 
            Select-Object Identity, @{ Name = 'sAMAccountName'; Expression = { (Get-ADGroup -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
            Where-Object sAMAccountName -ne $null            
# now we will get groups memebership
$group_users = @()
Foreach($group in $groups){
    Get-ADGroupMember -Identity $group.Identity | ForEach-Object { $group_users += [PSCustomObject]@{ 
                                                                                        'Identity' = $group.Identity
                                                                                        'sAMAccountName' = $_.sAMAccountName
                                                                                        'FileSystemRights' = $group.FileSystemRights
                                                                                    } }

}

$everyone = $distinct_users + $group_users
$everyone | Export-Csv -Path D:\example.csv

Check $everyone variable it will contain 3 columns: Identity as it was in the ACL, sAMAccountName and FileSystem Rights.



来源:https://stackoverflow.com/questions/55415433/powershell-get-acl-with-samaccountname-values

标签
powershell
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!