I was assisting a wise bearded, bespectacled, beer brewing, bugger the other day (lets call him Burko) with a common IT problem of identifying unique permissions on a shared folder. Much like Burko himself, the folder appeared to be in a dodgy state, most likely due to cancel being clicked when permissions were being propagated, because it takes so long. If it takes longer than 2 minutes, it’s just not worth doing, pretty sure I saw that on a motivational poster somewhere.
Given the ridiculous amount of sub-folders from years of uncontrolled sprawl, I was tempted to have Burko do it all manually just to test his sanity. But being the top guy I am, I got stuck into a bit of PowerShell to better manage the process more accurately. That and I couldn’t help myself.
So without further ado (did you know that comes from Shakespeare, man I am so cultured!), here it is!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
# Requires PowerShell 3 for the awesome -Directory parameter in Get-ChildItem function Get-FolderUniquePermissions ($Path) { # Get all subfolders in given Directory $folders = Get-ChildItem $path -Directory # Get Access Control List (ACL) from current given directory $rootAcl = get-item $path | get-acl | Select -ExpandProperty Access # loop throw subfolders foreach ($folder in $folders) { # Get ACL from subfolder $folderAcl = $folder | get-acl | Select -ExpandProperty Access # Compare each Access Control Entry (ACE) from both folder and subfolder, Only match on FileSystemRights and IdentityReference $diff = Compare-Object -ReferenceObject $rootAcl -DifferenceObject $folderAcl -Property "FileSystemRights","IdentityReference" # loop through different ACE's found foreach ($ace in $diff) { # Create new object with Path, Identity, and assigned permissions $obj = New-Object psobject $obj | Add-Member -MemberType NoteProperty -Name "Path" -Value $folder.FullName $obj | Add-Member -MemberType NoteProperty -Name "Identity" -Value $ace.IdentityReference $obj | Add-Member -MemberType NoteProperty -Name "Access" -Value $ace.FileSystemRights # If ACE is added to subfolder... if ($ace.SideIndicator -eq "=>") { $obj | Add-Member -MemberType NoteProperty -Name "Status" -Value "Addition" } # If ACE is missing from Subfolder... if ($ace.SideIndicator -eq "<=") { $obj | Add-Member -MemberType NoteProperty -Name "Status" -Value "Missing" } # Show object $obj } # Call Function again to recursively check additional subfolders Get-FolderUniquePermissions -Path $folder.FullName } } |
An example of this running is as follows:
|
1 2 3 4 5 6 7 8 9 10 |
PS D:\> Get-FolderUniquePermissions -Path "D:\Test\Burkos Brewing Recipes" Path Identity Access Status ---- -------- ------ ------ D:\Test\Burkos Brewing Recipes\Bitter Bastard Everyone FullControl Addition D:\Test\Burkos Brewing Recipes\Dark and Bitter Bastard Everyone ReadAndExecute, Synchronize Missing PS D:\> |
Hopefully this is of use to someone!
Questions, comments, abuse are always welcome. Don’t ask about beer brewing though, I’ve been asking for years to no avail.