Skip to content

Using Powershell to inspect folder permissions

by Wayne Denier on June 21st, 2010

We wanted to find out which folders had special write/modify permissions in a website, so we could switch out the current anonymous user account for a new one. Bellow is a Powershell command that we used…

dir D:\Inetpub\Wwwroot\target\ -recurse -exclude *.*  | Get-Acl | % { @{Path=$_.Path; Access=$_.Access}} |% {$a = $_.Access
$b = @($a | ?{ $_.IsInherited -ne $true -and $_.IdentityReference -and ($_.IdentityReference -contains "NT AUTHORITY\Network Service" -or $_.IdentityReference -contains "MACHINE\IUSR_MACHINE") }|%{ $_.IdentityReference, $_.FileSystemRights})
if ($b.count -gt 0) {$_.Path, $b}
} >> D:\temp\FolderPermissionsWeb.txt
There’s a couple of things going on here, but it’s really rather simple. The first segment goes to a directory, and returns all child items that are not files recursively.
dir D:\Inetpub\Wwwroot\target\ -recurse -exclude *.*

The pipe takes the results and performs another command, in this case Get-Acl. Get-Acl returns a list of all access control levels for the items. So at this point we’ve already got all access permission for all the folders in the search. My first proof of concept included only these two commands and outputed the results straight to the command prompt. It was enough to get the job done since it showed me all access for everyone on those folders!

The rest of the statements are all about pruning the results down to only the information I want.

$b = @($a | ?{ $_.IsInherited -ne $true -and $_.IdentityReference -and ($_.IdentityReference -contains "NT AUTHORITY\Network Service" -or $_.IdentityReference -contains "MACHINE\IUSR_MACHINE") }|%{ $_.IdentityReference, $_.FileSystemRights})

This section achieves that. The end of the first line declares $a as a list of all ACL it could find. I then declared a variable called $b that will contain all the results from $a that match my conditions. I don’t want to see any access that has been inherited, and I only want to see right assigned for Network Service or the machine’s IUSER account (IUSER account name varies per machine).

if ($b.count -gt 0) {$_.Path, $b}
} >> D:\temp\FolderPermissionsWeb.txt

Finally, I check to see if there are any matches, and then append them to my file. The code here is sort of rough, which I will chalk up to being a novice at Powershell. I’d hope to make it shorter and format the output a little more, which I’ll work on.

One Comment
  1. Galen permalink

    Useful.

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS