Permissions

Lists files with specific permissions for a user, recursively:

Get-ChildItem -Path <path> -Recurse -File | Where-Object { $_.GetAccessControl().Access.IdentityReference -like "<username>*" } | Select-Object FullName

Lists files with Full Control permissions for a specific user, recursively:

Get-ChildItem -Path <path> -Recurse -File | Where-Object { $_.GetAccessControl().Access | Where-Object { $_.FileSystemRights -eq "FullControl" -and $_.IdentityReference -like "<username>*" } } | Select-Object FullName

Lists files with Modify permissions for a specific user, recursively:

Get-ChildItem -Path <path> -Recurse -File | Where-Object { $_.GetAccessControl().Access | Where-Object { $_.FileSystemRights -eq "Modify" -and $_.IdentityReference -like "<username>*" } } | Select-Object FullName

Lists files with Read permissions for a specific user, recursively:

Get-ChildItem -Path <path> -Recurse -File | Where-Object { $_.GetAccessControl().Access | Where-Object { $_.FileSystemRights -eq "Read" -and $_.IdentityReference -like "<username>*" } } | Select-Object FullName

Filtering Files Based on Specific Permissions:

Get-ChildItem -Path "C:\Folder" -Recurse -File | Where-Object {
    $_.GetAccessControl().Access | Where-Object {
        $_.FileSystemRights -eq "FullControl" -and $_.IdentityReference -like "BUILTIN\Administrators"
    }
} | Select-Object FullName

Checking for Write Permission for a Group:

$acl = Get-Acl -Path "C:\TestFolder"
$hasWriteAccess = $acl.Access | Where-Object {
    $_.IdentityReference -like "DOMAIN\MyGroup*" -and $_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Write
}
if ($hasWriteAccess) {
    Write-Host "The group has Write access."
} else {
    Write-Host "The group does not have Write access."
}

Combining Multiple Permission Checks:

Get-ChildItem -Path "C:\ImportantFiles" -Recurse -File | Where-Object {
    $_.GetAccessControl().Access | Where-Object {
        ($_.FileSystemRights -eq "FullControl" -and $_.IdentityReference -like "BUILTIN\Administrators") -or
        ($_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Write -and $_.IdentityReference -like "DOMAIN\Users")
    }
} | Select-Object FullName

Key Points:

Access the FileSystemRights property to examine permissions granted to a specific user or group.

Use comparison operators (==, -eq) to check for exact permission matches.

Employ the -band operator for bitwise comparison to check for specific permission flags within a set of permissions.

Combine multiple Where-Object clauses for complex permission filtering.

Leverage PowerShell's object manipulation capabilities for advanced permission analysis and management.

PreviousSize NextAttributes

Last updated 1 year ago

Was this helpful?