Last active
February 7, 2022 02:30
-
-
Save kewalaka/bce4b000367884b98e2970771d531c0f to your computer and use it in GitHub Desktop.
Get-NonInheritedACLs is a script that recursively checks for directory permissions, ignoring inherited permissions except for the start folder
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Script that takes a start path and recursively checks for directory permissions | |
# Inherited permissions are ignored except for the start folder. | |
# Current folder progress written to the screen, output to a CSV located where the script is run from. | |
# | |
# Stu <kewalaka@gmail.com> | |
# | |
$startPath = "C:\Temp\PermTest" # CHANGE ME | |
$global:results = @() | |
# recursive function to get ACLs in subfolders that are not inherited | |
function Get-NonInheritedACLs($path) { | |
Write-host "Checking $path" | |
# get non-inherited permissions, record results in global var | |
(Get-acl -path $path).Access | where { -not ($_.IsInherited) } | foreach { | |
$global:results += [PSCustomObject][Ordered] @{ | |
Path = $path | |
AccessControlType = $_.AccessControlType | |
FileSystemRights = $_.FileSystemRights | |
IdentityReference = $_.IdentityReference | |
InheritenceFlags = $_.InheritenceFlags | |
PropagationFlags = $_.PropagationFlags | |
} | |
} | |
# call function recursively to walk the folder tree | |
Get-ChildItem -Directory $path | foreach { | |
Get-NonInheritedACLs $_.FullName | |
} | |
} | |
Write-Host "Starting at path $startPath" | |
# include inherited permissions at the starting point | |
(Get-acl -path $startPath).Access | where IsInherited | foreach { | |
$results += [PSCustomObject][Ordered] @{ | |
Path = $startPath | |
AccessControlType = $_.AccessControlType | |
FileSystemRights = $_.FileSystemRights | |
IdentityReference = $_.IdentityReference | |
InheritenceFlags = $_.InheritenceFlags | |
PropagationFlags = $_.PropagationFlags | |
} | |
} | |
Get-NonInheritedACLs $startPath | |
# if the script is not first saved, $PSScriptRoot will equal an empty string, so use the current path. | |
if (!$PSScriptRoot) { $PSScriptRoot = "." } | |
# output results - remove characters from the path that would result in an invalid file name | |
$global:results | Export-Csv $PSScriptRoot\"$($startPath.Replace('\','-').Replace(':',''))-permissions.csv" -NoTypeInformation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment