The below script is working fine to list all explicitly defined ACL in my file server directories with the below specific exclusion pattern.
Code: Select all
'NT AUTHORITY\SYSTEM',
'BUILTIN\Administrators',
'CREATOR OWNER',
'Everyone',
'DOMAIN\SERVICE-AVScan,
'S-1-5-21'
The below is my code so far:
Code: Select all
$Excludes = 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'CREATOR OWNER', 'Everyone', 'S-1-5-21'
$reExcludeObjects = '^({0})$' -f (($Excludes | ForEach-Object { [regex]::Escape($_) }) -join '|')
function Get-CustomDirInfo([IO.DirectoryInfo]$path, $parentAcl)
{
$containerInherit = [Security.AccessControl.InheritanceFlags]::ContainerInherit
$acl = (Get-Acl -Path $path.FullName).Access | Foreach-Object {
New-Object PSObject -Property @{
Path = $path.FullName;
IdentityReference = $_.IdentityReference;
FileSystemRights = $_.FileSystemRights;
IsInherited = $_.IsInherited;
InheritanceFlags = $_.InheritanceFlags;
InheritedFrom = if ($_.IsInherited)
{
if ($parentAcl)
{
$current = $_
$parentAce = $parentAcl.Access | Where-Object {
($current.IdentityReference -eq $_.IdentityReference) -and
($current.FileSystemRights -band $_.FileSystemRights) -and
($_.InheritanceFlags -band $containerInherit) -and
($_.IdentityReference -notmatch $reExcludeObjects)
}
if (!$parentAce -or ($parentAce.count -gt 1))
{
Write-Warning "Something is not right Parent ACE Count = $($parentAce.count) - $($path.FullName)"
#Export the broken direcotries path as unique entries
$BrokenACLDirectories += $path.FullName
$BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV -Title "There are $($BrokenACLDirectories.Count) Broken Directories"
}
if ($parentAce.IsInherited)
{
$parentAce.InheritedFrom
}
else
{
Split-Path $path.FullName -Parent
}
}
else
{
"Unknown (Top:$($path.FullName))"
}
}
else {
"Not Inherited"
}
}
}
$acl
$inheritableAcl = $acl | Where-Object { $_.InheritanceFlags -band $containerInherit }
$path.FullName | Get-ChildItem | Where-Object { $_.PsIsContainer } | Foreach-Object { Get-CustomDirInfo $_ $inheritableAcl }
}
Get-CustomDirInfo (Get-Item C:\Users\Public) | ft Path, IdentityReference, FileSystemRights, IsInherited, InheritedFrom -Auto
I need some help in this section of the code:
Code: Select all
if (!$parentAce -or ($parentAce.count -gt 1))
{
Write-Warning "Something is not right Parent ACE Count = $($parentAce.count) - $($path.FullName)"
#Export the broken direcotries path as unique entries
$BrokenACLDirectories += $path.FullName
$BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV -Title "There are $($BrokenACLDirectories.Count) Broken Directories"
}