Using Get-Acl to Identify Administrator Permissions

Article
02/21/2014

A good friend – a certain Mr X - asked me the following:

“…Do you happen to have a PowerShell command or script that would look at a Fileserver and dump out all the files and folders that the Administrator has permissions on?...”

Well, I didn’t have a snippet to do that, but I do now J

The following was written to work with PS v2.

Get permissions on items in a folder using Get-ChildItem piped to Get-Acl:

$Items = Get-ChildItem C:\Windows | Get-Acl

Get permissions on items in a drive using the same technique:

$Items = Get-ChildItem C:\ -Recurse | Get-Acl

Loop through each file or folder collected ($Item) and expand the ‘Access’ property. Test each identity stored in the ‘IdentityReference’ property to see if it contains the ‘*Administrators*’ string. If it does, write the item path and the complete identity reference to the console.

ForEach ($Item in $Items) {

$Ids = $Item | Select-Object -ExpandProperty Access

ForEach ($Id in $Ids) {

If ($Id.IdentityReference -like "*Administrators*") {

Write-Host "$($Item.Path),$($Id.IdentityReference)"

} #End of If ($Id.IdentityReference -like "*Administrators*")

} #End of ForEach ($Id in $Ids)

} #End of ForEach ($Item in $Items)

For example:

Update Write-Host to an append redirection operator (>>) or pipe the string to Out-File for a report…

"$($Item.Path),$($Id.IdentityReference)" >> results.txt

I also pointed Mr X in the direction of the following PS module and, specifically, the ‘Get-EffectivePermissions’ function:

File System Security PowerShell Module 2.4

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

Laters!

Using Get-Acl to Identify Administrator Permissions

Additional resources