Forum Discussion
How to sperate each group/user in AccessToString when using Get-ACL folder.
Good Evening All, Currently I am writing a script that will allow me to remove User/groups from folders if those groups are in a list, however when calling for "AccessToString" Property but its n...
Good Morning Lain,
Thank you for your response this helps a lot.
What would be the best way to turn this in to a function? As it will ran as option admin script.
1. we don't really need commit it as this function makes sure the Mandatory security groups applies.
2. Then the function will apply 1 Security group depending on the folder name.
The folders that we are trying to change are created in another function and inheritances in then disabled on creation.
Simply wrap the code in a function declaration, like so:
function Reset-Acl
{
# Blah
# Blah
}
For example:
function Reset-Acl
{
[cmdletbinding()]
Param(
[parameter()][switch]$Commit,
[parameter()][string]$LogFile = ".\GDrive_ACL_stats.csv"
)
$Folder_name = @(
"D:\Data\Temp\Bogus1",
"D:\Data\Temp\Bogus2"
);
$TestMandatorySecurityGroups = @(
"NT AUTHORITY\SYSTEM",
"BUILTIN\Administrators",
"BUILTIN\Users"
);
# Remove the CSV file to avoid conflicts from repeated runs.
Remove-Item -Path $LogFile -Force -ErrorAction:SilentlyContinue;
foreach($Name in $Folder_name)
{
# Fetch the ACL.
$Acl = Get-Acl -Path $Name;
$FilePath = ($Acl.Path -split "::")[1].ToLowerInvariant();
# Enumerate the owner before moving onto the Access Control Entries (ACEs.)
[PSCustomObject] @{
Path = $FilePath;
AccessControlType = "Allow"; # Strictly speaking, there is no Allow or Deny for the Owner, but it's useful in filtering scenarios, so in it goes.
IdentityReference = $Acl.Owner;
FileSystemRights = "Owner"; # From here down, nothing else applies to the Owner, so set them as $null and head out to the ACEs.
IsInherited = $null;
InheritanceFlags = $null;
PropagationFlags = $null;
} | Export-csv -NoTypeInformation -Path $LogFile -Append;
# Enumerate the ACEs, being sure to exclude those that are inherited. After all, you can't remove an inherited ACE.
foreach ($Ace in $Acl.Access)
{
if (-not $Ace.IsInherited)
{
# Log the entry first.
[PSCustomObject] @{
Path = $FilePath;
AccessControlType = $Ace.AccessControlType; # Strictly speaking, there is no Allow or Deny for the Owner, but it's useful in filtering scenarios, so in it goes.
IdentityReference = $Ace.IdentityReference;
FileSystemRights = $Ace.FileSystemRights; # From here down, nothing else applies to the Owner, so set them as $null and head out to the ACEs.
IsInherited = $Ace.IsInherited;
InheritanceFlags = $Ace.InheritanceFlags;
PropagationFlags = $Ace.PropagationFlags;
} | Export-csv -NoTypeInformation -Path $LogFile -Append;
# Then see if we need to remove it.
if ($TestMandatorySecurityGroups -notcontains $Ace.IdentityReference)
{
if ($Commit.IsPresent)
{
Write-Warning -Message "Removing ""$($Ace.IdentityReference)"" from $Name";
}
else
{
Write-Warning -Message """$($Ace.IdentityReference)"" would be removed from $Name";
}
$null = $Acl.RemoveAccessRule($Ace);
}
}
}
# Commit the ACL changes. Not bothering to wrap in a try..catch block since it's the final statement and there's value in letting any exceptions (such as "access denied") surface.
if ($Commit.IsPresent)
{
Set-Acl -Path $FilePath -AclObject $Acl;
}
}
}
Cheers,
Lain