PowerShell to find usernames that have access

Question

I am trying to get the ACL of a set of folders to see if a specific user is listed

For example

 Users
 |
  ---Person1
  ---Person2
  ---Person3

Person1 to 3 are home folders. We recently ran an icacls command to modify the folder permission. Some of them have the owner set to "IT Employee" instead of Person1

If it was only 3 folders, I would do this manually. However there are at least 1000 folders and manually would not be feasible to get the data back in a timely manner.

Basically there are 6 IT Employees and I want to make sure their name is not in any Person home folder (or it's sub folders). If it is there then I want to be able to remove them or at least get a console log.

I am using PowerShell 2 on Windows Server 2008

I can also execute VBScript or JavaScript

Answer 1

You could try something like this to get you started. I'm not connected to a network with a file server atm., so I'm not sure if Owner and IdentityReference contains DOMAIN\Username or SID (this happends for non-exisiting users, ex. deleted ones). I get <DOMAIN or ComputerName>\Username when I run it on m local machine. You may have to modify it to handle that.

$rootpath = "c:\users"

#Get all folders
Get-ChildItem -Path $rootpath -Recurse | Where-Object { $_.PSIsContainer }
#Get ACL for the folders
Get-Acl |
#Find ACLs with IT Employee-reference
Where-Object {

    #Check if owner matches 'IT Employee' or ACL Access rules contains 'IT Employee'
    if(($_.Owner -match 'IT Employee') -or ($_.Access | Where-Object { $_.IdentityReference.Value -match 'IT Employee' })) { $_ }

} |
#Process
ForEach-Object {

    #Show folderpath...
    $_.Path

    #Here you could access the ACL-object $_, modify it (change owner/remove access rules) and save it by using 'Set-Acl -Path $_.Path -AclObject $_'   etc.
}