{"id":52463,"date":"2009-09-15T03:01:00","date_gmt":"2009-09-15T03:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/09\/15\/hey-scripting-guy-how-can-i-tell-to-which-folders-a-user-has-been-granted-or-denied-access\/"},"modified":"2009-09-15T03:01:00","modified_gmt":"2009-09-15T03:01:00","slug":"hey-scripting-guy-how-can-i-tell-to-which-folders-a-user-has-been-granted-or-denied-access","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-tell-to-which-folders-a-user-has-been-granted-or-denied-access\/","title":{"rendered":"Hey, Scripting Guy! How Can I Tell to Which Folders a User Has Been Granted or Denied Access?"},"content":{"rendered":"

<\/p>\n\n\n\n
Share this post: <\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/span> <\/p>\n

\"Hey,Hey, Scripting Guy! I need to find out what folders a user has specifically been granted or denied access to. I do not need the specific rights that were granted. I only need to find out where the user was specifically granted or denied access. The reason for this is I am trying to clean up permissions on some of our shared directories, and I am having a hard time finding explicit permissions. As you know, when a user has been explicitly denied, it overrides other permissions. Also when a user has been granted specific permissions, they add to rights gained via groups. All of this is quite confusing. Needless to say, these permissions were granted by some clown who did not know what he was doing, and of course the clown has now been promoted to another department and is too good to answer questions from a storage administrator. Can you whip up a custom script for me? <\/p>\n

— JS <\/p>\n

\"Hey,Hello JS, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. I recently had a scoping call with a large customer about providing some Windows PowerShell 2.0 training for them. During the phone call, I mentioned that reporting on certain configuration settings is best carried out by using tools such as System Center<\/font><\/a> and that I did not think in the large enterprise writing scripts to detect the installation status of a particular hotfix was something that would be needed. They promptly informed me that, while it might be possible to obtain such a report, it might very well take more than a week to have it produced because the System Center team is responsible for managing System Center and not for producing ad hoc reports for the server administration team.  <\/span>It is a shame, but it seems that most IT departments these days run extremely lean, and to accomplish their core mission, they must carefully guard against being randomized in too many different directions. Of course, this is not necessarily your problem; however, it might explain why your colleague seems to be a bit preoccupied with his new job. Another explanation might be that your co-worker does not remember what was done or why. If the documentation for such changes was not made, it might be that any forthcoming assistance would be useless drivel. <\/p>\n

A good script is better than a clueless co-worker any day. The Get-SecurityOfFolders.ps1 script will search through an array of folders that you specify, and find which folders a specific user has been granted explicit security permissions to. The complete Get-SecurityOfFolders.ps1 script is seen here. <\/p>\n

Get-SecurityOfFolders.ps1 <\/p>\n

<\/strong><\/p>\n

$user = ‘nwtraders\\bob’
$folders = "c:\\fso","C:\\fso1","c:\\fso2"
$acls = Get-Acl -path $folders
$outputObject = @() <\/p>\n

Foreach($acl in $acls)
{
 <\/span>$folder = (convert-path $acl.pspath)
 <\/span>Write-Progress -act "Getting Security" -status "checking $folder" -percent ($i\/ $folders.count*100)
 <\/span>$object = New-Object -TypeName PSObject
  <\/span>Foreach($access in $acl.access)
  <\/span>{
    <\/span>Foreach($value in $access.identityReference.Value)
     <\/span>{
       <\/span>if ($value -eq $user)
  <\/span>        <\/span>{
     <\/span>$object | Add-Member -MemberType NoteProperty -Name Folder -Value $folder
     <\/span>$object | Add-Member -MemberType NoteProperty -Name user -Value $user
     <\/span>$object | Add-Member -MemberType NoteProperty -Name mode -Value $access.AccessControlType
     <\/span>$outputObject += $object
          <\/span>}
     <\/span>} #end foreach value
  <\/span>} # end foreach access
$i++
} #end Foreach acl
$outputObject | Format-Table -property * -autosize <\/p>\n

<\/font><\/font><\/span><\/p>\n

The first thing that is done in the Get-SecurityOfFolders.ps1 script is to specify a user name. The user is the one whose security rights to folders will be determined. The folders are an array of folder paths. You could also use the Get-ChildItem<\/b> cmdlet to obtain a collection of folders, but that would entail a bit more work. You might also wish to modify these two value assignments and turn them into command-line parameters. You will need to modify these two values before running the script, unless you actually have a user named nwtraders\\bob<\/b> and you have folders c:\\fso \u2013 c:\\fso2<\/b>. The two lines are shown here: <\/p>\n

$user = ‘nwtraders\\bob’
$folders = "c:\\fso","C:\\fso1","c:\\fso2" <\/p>\n

<\/font><\/span><\/p>\n

Now we use a shortcut to grab the security objects from the folders. Because the Get-Acl<\/b> cmdlet will accept an array of strings for the folder paths, the array of strings stored in the $folders<\/b> variable is passed to the path argument of the Get-Acl<\/b> cmdlet. The resulting collection of System.Security.AccessControl.DirectorySecurity<\/a> .NET Framework classes are stored in the $acls<\/b> variable. This is seen here: <\/p>\n

$acls = Get-Acl -path $folders <\/p>\n

<\/font><\/span><\/p>\n

After you have collected the access control lists and stored them in the variable $acls<\/b>, it is time to create an empty array. The $outputObject<\/b> variable will be used to store the custom access object that will be created later on in the script. It is created here: <\/p>\n

$outputObject = @() <\/p>\n

<\/font><\/span><\/p>\n

You can walk through the collection of access control lists by using the Foreach<\/b> statement. This is seen here: <\/p>\n

Foreach($acl in $acls)
{ <\/p>\n

<\/font><\/span><\/p>\n

The path to the folder the specific user has been granted rights to is obtained from the pspath<\/b> property of the System.Security.AccessControl.DirectorySecurity .NET Framework class. The pspath<\/b> property is added by Windows PowerShell. When you look at the pspath<\/b> property value, it contains the path to the folder, but not in a very usable fashion. This is seen here: <\/p>\n

PS C:\\> (Get-Acl c:\\fso).pspath
Microsoft.PowerShell.Core\\FileSystem::C:\\fso
PS C:\\> <\/p>\n

<\/font><\/span><\/p>\n

To translate the pspath<\/b> property value into a path that is more useful for the script, you can use the Convert-Path<\/b> cmdlet. The Convert-Path<\/b> cmdlet will translate a Windows PowerShell path into a path that can be used by a Windows PowerShell provider. This is seen here: <\/p>\n

PS C:\\> Convert-Path -path (Get-Acl c:\\fso).pspath
C:\\fso
PS C:\\> <\/p>\n

<\/font><\/span><\/p>\n

In the Get-SecurityOfFolders.ps1 script, the converted path is stored in the $folder<\/b> variable, which is seen here: <\/p>\n

 <\/span>$folder = (convert-path \u2013path $acl.pspath) <\/p>\n

<\/font><\/span><\/p>\n

The Write-Progress<\/b> cmdlet is used to provide a visual indicator of the progress in obtaining the ACLs from each folder. The activity is the gathering of security information. The status is the current folder that is being scanned. The percent complete is calculated by using the number of folders in the $folders<\/b> array. When the Get-SecurityOfFolders.ps1 script is run, this progress bar is displayed: <\/p>\n

\"Image <\/p>\n

The Write-Progress<\/b> command is seen here: <\/p>\n

 <\/span>Write-Progress -activity "Getting Security" -status "checking $folder" -percent ($i\/ $folders.count*100) <\/p>\n

<\/font><\/span><\/p>\n

It is now time to create the custom Windows PowerShell object that will hold the security information for the specific user on each of the folders. To do this, use the New-Object<\/b> cmdlet and specify the TypeName<\/b> of PSObject. The resulting custom object is stored in the $object<\/b> variable as seen here: <\/p>\n

 <\/span>$object = New-Object -TypeName PSObject <\/p>\n

<\/font><\/span><\/p>\n

Because the user name that has been granted rights to a folder is stored in the value of the identityReference<\/b> property of the System.Security.Principal.NTAccount<\/a> .NET Framework class, it is necessary to somehow gain access to the NTAccount<\/b> class.  <\/span>To do this, each of the System.Security.AccessControl.FileSystemAccessRule<\/a> .NET Framework classes that are returned by querying the access<\/b> property of the DirectorySecurity<\/b> object are queried. The Foreach<\/b> statement is used to walk through the collection of FileSystemAccessRules<\/b>, as seen here: <\/p>\n

  <\/span>Foreach($access in $acl.access)
  <\/span>{ <\/p>\n

<\/font><\/span><\/p>\n

After a FileSystemAccessRule<\/b> has been obtained and stored in the $access<\/b> variable, the NTAccount<\/b> class is obtained by referencing the identityReference<\/b> property.  <\/span>The value contained in the value<\/b> property is stored in the $value<\/b> variable as seen here: <\/p>\n

    <\/span>Foreach($value in $access.identityReference.Value)
     <\/span>{ <\/p>\n

<\/font><\/span><\/p>\n

If the value stored in the $value<\/b> variable is equal to the string that is stored in the $user<\/b> variable, the Add-Member<\/b> cmdlet is used to add three different note properties to the custom PSObject that is stored in the $object<\/b> variable. <\/p>\n

The use of the custom PSObject was a significant feature in the solutions submitted by our expert commentators during the 2009 Summer Scripting Games<\/font><\/a>. Those guest commentaries, as well as my review of some of the solutions proposed by Games participants, can be seen in the Hey, Scripting Guy! archives<\/font>. <\/p>\n

The first NoteProperty<\/b> is the folder name stored in the $folder<\/b> variable; the second is the user name stored in the $user<\/b> variable; and the last  <\/span>NoteProperty<\/b> is the access mode (either denied or granted). This last value is received from the AccessControlType<\/b> property from the FileSystemAccessRule<\/b> .NET Framework class stored in the $access<\/b> variable. This is seen here: <\/p>\n

       <\/span>if ($value -eq $user)
          <\/span>{
     <\/span>$object | Add-Member -MemberType NoteProperty -Name Folder -Value $folder
  <\/span>   <\/span>$object | Add-Member -MemberType NoteProperty -Name user -Value $user
     <\/span>$object | Add-Member -MemberType NoteProperty -Name mode -Value $access.AccessControlType
     <\/span>$outputObject += $object
          <\/span>}
     <\/span>} #end foreach value
  <\/span>} # end foreach access <\/p>\n

<\/font><\/span><\/p>\n

The value of the $i <\/b>variable is incremented by one because it is used to track the progress through the folders for the Write-Progress<\/b> command. This is done just before closing the curly brackets for the Foreach<\/b> statement that is used to walk through the access control lists: <\/p>\n

$i++
} #end Foreach acl <\/p>\n

<\/font><\/span><\/p>\n

It is time to display the results that are stored in the $outputObject<\/b> variable. Because the $outputObject<\/b> contains an array of custom Windows PowerShell objects, the output can be manipulated by using standard Windows PowerShell cmdlets. To display a table, pipe the $outputObject<\/b> variable to the Format-Table<\/b> cmdlet, select the properties you are interested in seeing and then autosize it to maximize screen real estate. The command to produce the output is seen here: <\/p>\n

$outputObject | Format-Table -property * -autosize <\/p>\n

<\/font><\/span><\/p>\n

The output produced by the script is seen here: <\/p>\n

\"Image <\/p>\n

JS, this concludes our discussion of identifying folders to which a specific user has rights. <\/p>\n

If you want to know exactly what we will be discussing tomorrow, follow us on Twitter<\/a> or Facebook<\/font><\/a>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/a> or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace. <\/p>\n

\n

 <\/p>\n<\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/span><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

Share this post: Hey, Scripting Guy! I need to find out what folders a user has specifically been granted or denied access to. I do not need the specific rights that were granted. I only need to find out where the user was specifically granted or denied access. The reason for this is I am […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[62,3,63,45],"class_list":["post-52463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-dacls-and-sacls","tag-scripting-guy","tag-security","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Share this post: Hey, Scripting Guy! I need to find out what folders a user has specifically been granted or denied access to. I do not need the specific rights that were granted. I only need to find out where the user was specifically granted or denied access. The reason for this is I am […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=52463"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52463\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=52463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=52463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=52463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}