2

Having trouble getting the output I want from some powershell commands. I'm creating a powershell script to help clean up home directories. I need to get the permissions of the directory and make sure that the name of the directoy and the user who has access match.

I'm using the Get-Acl function and it has alot of extra data. In theory the file permissions on these directories should have Administrators as the owner, the user should be the only person listed under Access. 

PS C:\> Get-Acl "\\fs1\home\e55555"
Directory: \\fs1\home
Path                       Owner                      Access
----                       -----                      ------
e55555                    BUILTIN\Administrators     DOM\e55555 Allow ...

I would like to filter out everything except what is under access. I tried piping | select Access but it doesn't give me the same output.

I know I'll have extra information besides the UserID so I figured I could write to a file and try to "grep" what I needed. Through some googling and experimentation I got some output I felt would be easy to parse, here is the command and output: 

PS C:\> $test = Get-Acl \\fs1\home\\e55555 | Select-Object -ExpandProperty Access
 | select IdentityReference

IdentityReference
-----------------
DOM\e55555
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
NT AUTHORITY\Authenticated Users

Tried to use regex to find the line I wanted, none of the things I tried gave me any output. I tried different variations of the commands below and also tried parsing a file instead of a variable:

echo $test | Select-String -pattern "^DOM"
[regex]::matches($test,"^DOM")

So how can I trim down my output on my get-acl command? And how can I "grep" for any lines starting with DOM without extra data?

Improve this question

3 Answers 3

Reset to default
2

This should give you the access-objects for all users in your domain

$path = "\\fs1\home\\e55555"
(Get-Acl $path).Access | where { $_.IdentityReference -like "DOM*"}

If you want to check that user is in there, you could use:

$path = "\\fs1\home\\e55555"
$username = $path | Split-Path -Leaf

(Get-Acl $path).Access | where { $_.IdentityReference -like "DOM\$username"}

I didn't extract the Identityreference property since you need the whole access object if you want to check the permissions. If you save the Get-Acl outputs to a variable (ex. $access = Get-Acl ......), you can check that the user had a access rule by using if($access) { do something }

EDIT: Just as an idea. If you only want the folders where a user with the same name as the folder doesn't have an access rule(without checking what kind of rights the user has), you could try:

$acls = Get-ChildItem "\\fs1\home\" | Get-Acl 
foreach ($acl in $acls) {
    $users = $acl.Access | select -ExpandProperty IdentityReference
    $username = $acl.PSChildName
    if ($users -notcontains "DOM\$username") { $username }
}

This should output an array of foldernames(ex. "e55555") where something IS wrong(ex. user "e55555" doesn't have any access to the folder "e55555").

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you very much! Was able to get what I needed with your code. Was a big help when I saw your code a remembered at powershell is object oriented and I just had to reference the property.
0

I think you think-string all the time. Try to see objects instead. And to filter - use where, not select-string. E.g.:

$HomeDrive = '\\fs1\home\'
$User = 'e55555'

(Get-Acl $HomeDrive$User).Access |
    where { $_.IdentityReference -match $user }

That should get you started...? :)

Improve this answer

2 Comments

Sorry, but where do you see array output? Get-Acl SingleFolder returns single ACL object. :)
ofc. that's true =) my bad
0

Try adding the -Expand to IdentityReference too. To build on what you were doing:

Get-Acl "\\fs1\home\\e55555" | Select-Object -ExpandProperty Access | 
    select -expand IdentityReference | ?{ $_.StartsWith("DOM") }

To make it simpler:

(Get-Acl "\\fs1\home\\e55555").Access | Select -Expand IdentityReference | ?{ $_.StartsWith("DOM") }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.