I am trying to use powershell to retrieve the ACLs on fileshares, to ease the operational burden of searching through every folder to figure out what group a user needs to belong to. Due to the size of the fileshares, I'm using a runspace pool to concurrently pull every sub-directory from the given root in parallel. The code is as follows:
Param(
[string]$directory,
[string]$outputdir,
[string]$logdir
)
$partition = $directory -replace '\\', '_' -replace '^.{2}',''
if ($logidr -eq ""){
$logdir = $outputdir
}
$Logfile = "$logdir\$(Get-Date -format 'yyyy_MM_dd_HHmmss')-fs_smb-root#$partition.log"
function WriteLog
{
Param ([string]$LogString)
$Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
$LogMessage = "$Stamp $LogString"
Add-content $LogFile -value $LogMessage
}
# Define the script block to run in the runspace
$scriptBlock = {
Param(
[string]$directory,
[string]$logdir
)
$partition = $directory -replace '\\', '_' -replace '^.{2}',''
$Logfile = "$logdir\$(Get-Date -format 'yyyy_MM_dd_HHmmss')-fs_smb-root#$partition.log"
function WriteLog
{
Param ([string]$LogString)
$Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
$LogMessage = "$Stamp $LogString"
Add-content $LogFile -value $LogMessage
}
$acls = [System.Collections.Generic.List[PSObject]]::new()
$dirs = Get-ChildItem -directory -recurse $directory
$dirs += Get-Item $directory
$numdirs = $dirs.length
WriteLog("Attempting to get ACLs on $numdirs directories")
$curdir = 1
foreach ($dir in $dirs) {
WriteLog("[$curdir of $numdirs] Parsing $dir")
try{
$acl = Get-Acl -Path $dir
$acls.Add($acl)
}
catch {
WriteLog("Error parsing $dir ($_)")
}
$curdir++
}
return , $acls
}
try{
$dirs = get-ChildItem -directory $directory
}
catch{
Write-Host "$_"
}
# Create a RunspacePool with the desired maximum number of runspaces
$maxConcurrentRunspaces = 20
$runspacePool = [runspacefactory]::CreateRunspacePool(1, $maxConcurrentRunspaces)
$runspacePool.Open()
$jobs = @()
# Create runspaces and start them for each item
foreach ($dir in $dirs) {
$ps = [powershell]::Create().AddScript($scriptBlock).AddArgument($dir).AddArgument($logdir)
$ps.RunspacePool = $runspacePool
$jobobject = [PSCustomObject]@{
State = $ps.BeginInvoke()
Instance = $ps
}
[Collections.Arraylist]$jobs += $jobobject
}
# Wait for all runspaces to complete and retrieve their output
while ($jobs.State.IsCompleted -contains $false) {Start-Sleep -Milliseconds 1000}
$results = [System.Collections.Generic.List[PSObject]]::new()
foreach ($job in $jobs){
$jobresults = ($job.Instance.EndInvoke($job.State))
$results.Add($jobresults)
$job.Instance.Dispose()
}
$FolderList = [System.Collections.Generic.List[PSObject]]::new()
foreach ($dir in $results) {
foreach ($acl in $dir){
foreach ($access in $acl.Access){
$SharedirObject = [PSCustomObject]@{
directory = $acl.Path.Split('::')[1];
owner = $acl.Owner;
account = $access.IdentityReference.ToString();
access = $access.FileSystemRights.ToString();
inherited = $access.IsInherited;
}
$FolderList.Add($SharedirObject)
}
}
}
$FolderList | export-csv -NoTypeInformation "$outputdir\$(Get-Date -format 'yyyy_MM_dd_HHmmss')-fs_smb-root#$partition.csv"
# Clean up the runspace pool
$runspacePool.Close()
$runspacePool.Dispose()
This seems to run, and the logs indicate that every directory is parsed, and the data is captured. If I run this script in a new powershell console, it returns an empty CSV. When I've troubleshot this, I can see that the objects are returned, they are the right type (System.Security.AccessControl.DirectorySecurity), but they are missing the values of the ACL object (Path/Owner/Access)
What boggles my mind is that if I paste each line into a console, but after the jobs are all completed, I view the output of the first job like this:
$jobs[0].Instance.EndInvoke($jobs[0].State)
Then every subsequent run of the script from that console works fine. But new console windows continue to return the empty CSV. I've read through everything I can find on runspaces, and all of the data seems to indicate this should work (and indeed it will if you look at the contents once).
Any ideas why this is behaving in this manner?
This is being run in powershell 7.3.3