PowerShell Get-Acl - Get members instead of group

2019-08-20 07:07发布

问题:

In PowerShell when using Get-Acl how can I show all members belonging to a group instead of the group itself?

So:

Get-ChildItem C:\ | where-object {($_.PsIsContainer)} | Get-Acl | select path -ExpandProperty Access

Shows something like this:

Path              : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Path              : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Instead I want it to list all users belonging to Administrators/Users with their permission for each folder and discard the group.

Also how can I add Convert-Path to the select path statement so that path displayed is only C:\Test?

Thanks!

回答1:

I wasn't able to solve it with linked post and/or the PowerShell Access Control module, still only got groups. So in the end I was able to get the info I wanted with a combination of different other helpful posts like:

PowerShell script to return members of multiple security groups
List user details from Username

Expanding on my original question and including the final result I wanted, this is how I did it. It's not beautiful (even repeats small portion of code) and big parts could probably be put in one line, but for my own readability alone it kinda makes sense this way. Also I omitted the discard of group, since I found the information useful.

$queryPath = "C:\Test"
$targetFile = "C:\Test.csv"

$Table = @()

$Record = [ordered]@{
    "Path" = ""
    "IdentityReference" = ""
    "Class" = ""
    "GrpMember" = ""
}

$foldersToQuery = Get-ChildItem $queryPath | Where {$_.PSIsContainer} | select -expandproperty FullName

foreach ($folder in $foldersToQuery) {
    $Record.Path = $folder
    $permissions = Get-Acl $folder | select -expandproperty Access

    foreach ($permission in $permissions) {
        [string]$id = $permission.IdentityReference
        $SamAccountName = $id.Split('\')[1]
        $ADObject = Get-ADObject -Filter ('SamAccountName -eq "{0}"' -f $SamAccountName) }
        $Record.IdentityReference = $permission.IdentityReference.ToString()

        switch ($ADObject.ObjectClass) {
            'user' {
                $Record.Class = $ADObject.ObjectClass
                $Record.GrpMember = ""
                $objRecord = New-Object PSObject -property $Record
                $Table += $objrecord
            }
            'group' {
                $Record.Class = $ADObject.ObjectClass
                $members = Get-ADGroupMember $SamAccountName }

                foreach ($member in $members) {
                    $Record.GrpMember = $member.name
                    $objRecord = New-Object PSObject -property $Record
                    $Table += $objrecord
                }
            }
        }
    }
}
$Table | export-csv $targetFile -NoTypeInformation -Encoding UTF8

Returning a table like this when formatted