Using Get-Acl to Identify Administrator Permissions

A good friend – a certain Mr X – asked me the following:


“…Do you happen to have a PowerShell command or script that would look at a Fileserver and dump out all the files and folders that the Administrator has permissions on?…”


Well, I didn’t have a snippet to do that, but I do now J


The following was written to work with PS v2.


Get permissions on items in a folder using Get-ChildItem piped to Get-Acl:


$Items = Get-ChildItem C:\Windows | Get-Acl



Get permissions on items in a drive using the same technique:


$Items = Get-ChildItem C:\ -Recurse | Get-Acl




Loop through each file or folder collected ($Item) and expand the ‘Access’ property. Test each identity stored in the ‘IdentityReference’ property to see if it contains the ‘*Administrators*’ string. If it does, write the item path and the complete identity reference to the console.



ForEach ($Item in $Items) {


    $Ids = $Item | Select-Object -ExpandProperty Access


        ForEach ($Id in $Ids) {


            If ($Id.IdentityReference -like "*Administrators*") {


                Write-Host "$($Item.Path),$($Id.IdentityReference)"


            }   #End of If ($Id.IdentityReference -like "*Administrators*")


        }   #End of ForEach ($Id in $Ids)


}   #End of ForEach ($Item in $Items)




For example:


PowerShell Output



Update Write-Host to an append redirection operator (>>) or pipe the string to Out-File for a report…


"$($Item.Path),$($Id.IdentityReference)" >> results.txt



I also pointed Mr X in the direction of the following PS module and, specifically, the ‘Get-EffectivePermissions’ function:


File System Security PowerShell Module 2.4




Comments (1)

  1. Excellent says: