PowerShell: finding which groups are attached to which folders

file-permissionspowershell

(This is my first post, so sorry if I'm hard to understand or asked a bad question)

Here is my problem:

I have a few AD Groups with a similar naming convention. "*somename" and I used Get-ADGroup command to get an array filled with those objects.

Similarly, I have folders with NTFS permissions on them which I have in another array. These permissions are a mix of the groups I mentioned earlier, as well as other groups and individual users as needed.

End Goal (What I would like to find):

Which folders do not have any of those AD Groups assigned.
And which of those AD Groups aren't attached to any folders.
Which folders have which AD Group from that list assigned to it.

Here is what I have tried

$CS_Dirs=get-childitem '\\my.server\share$\Dept' -recurse -depth 1 -filter copierscans
$CS_Roles=Get-ADGroup -filter {Name -like "* CopierScans"}

####For each directory in $CS_Dirs array, get acl###
foreach($dir in $CS_Dirs){

    ###Get the ACL for the Dir###
    get-acl $dir.PSPath | %{

        ####Variable to tell this loop if next loops find a match###
        $contains=$false

        ####For every access object in that ACL###
        foreach ($access in $_.access){

            ###loop through each group to check if any of the dir's ACL's principals are in my list of AD Groups.
            foreach($group in $CS_ADGrups){

                #If they are then set contains to true to tell the outer loop to select that path
                if($access.identityreference.ToString() -match {"DOMAIN\"+$group.name.ToString()}){
                    $contains=$true
                }
            }
        }

        #Should be a list of all the paths
        #Which are not assigned a group contained in my $CS_ADGroups list.
        if($contains){
            $_ | select @{n="path";e={$_.path}}
        }
    }
}

The Issues:

The matching in the end of the foreach I can't get to match eachother

The matching in the end of the foreach, i can't get it to evaluate true properly when they match. partly because one of them has the domain attached to the front and the other doesn't (hence the "domain\" portion)
I can't get it to select the directory path when it's inside a foreach loop,

Best Answer

It is difficult to see the errors you're getting without a similar environment to run it against. I can make the following two suggestions.

1) Get-Childitem does not return any items with a "path" property. Try using the "Fullname" property instead.

2) When you attempt to match a string that contains characters that perform special regex functions (like \$^?.) you need to escape those so they can be matched. Backslash is the primary escape character in regular expressions.

$group = "DOMAIN\Some Group"
$group -match $group
False
$group -match [regex]::Escape($group)
True

[Regex]::Escape("DOMAIN\Some Group")
DOMAIN\\Some\ Group
help about_regular_expressions

Try the following on the right side of your -match

-match ( [regex]::Escape("Domain\" + $group.name))

Related Solutions

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

There are two problems here.

The CMDlet Get-QADPermission is writing directly to the console during execution which is why you're seeing Permissions for: .... Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.

Also, be careful with Get-QADPermission. If you only query for WriteProperty, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.

function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
  $results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
    Where-Object {
      $_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
    } |
    Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
  $results | Write-Output
  $results | Export-Csv "$username.csv"
}

@("bob","sally") |
  ForEach-Object {
    Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
  }

Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.

Powershell show users who are members of a group twice – once directly once indirectly

The following will walk a given parent group (name must be compatible with Get-ADGroupMember syntax) and populate two hashes. One hash will have user sAMAccountName as the key and a array of direct group memberships as the value. The second hash will contain keys of all processed groups.

It will correctly detect, and skip, circular group nestings (e.g. parent is child of child). You can comment out the Write-Host lines for less line noise in the console.

Import-Module ActiveDirectory

function Walk-Group ( $group ) {

    Get-ADGroupMember $group | Group-Object objectClass -ash | Foreach-Object {

        # Add each user to $users hash, add current group to their collection
        if ( $_.user ) {
            foreach ( $u in $_.user.GetEnumerator() ) {
                if ( $users[$u.sAMAccountName] ) {
                    $users[$u.sAMAccountName] += $group
                } else {
                    $users.Add( $u.sAMAccountName, @($group) )
                }
            }
        }

        # Recurse into each child group, skip if group is circular member
        if ( $_.group ) {
            foreach ( $g in $_.group.GetEnumerator() ) {
                if ( $groups[$g.Name] ) {
                    Write-Host "Existing:" $g.Name
                } else {
                    Write-Host "New Group:" $g.Name
                    $groups.Add( $g.Name, $true )
                    Walk-Group $g.Name
                }
            }
        }

    }
}

# Hash to collect user/group info.
$users = @{}

# Hash to collect processed groups.
$groups = @{}

# Root group to walk
Walk-Group "Department-staff"

# Display users with mulitple direct memberships
$users.GetEnumerator() | Where-Object { $_.Value.Count -gt 1 }