PowerShell Get-Acl-获取成员而不是组 [英] PowerShell Get-Acl - Get members instead of group

问题描述

在PowerShell中使用Get-Acl时，如何显示属于某个组的所有成员而不是该组本身？

In PowerShell when using Get-Acl how can I show all members belonging to a group instead of the group itself?

因此：

Get-ChildItem C:\ | where-object {($_.PsIsContainer)} | Get-Acl | select path -ExpandProperty Access

显示如下内容：

Path              : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Path              : Microsoft.PowerShell.Core\FileSystem::C:\Test
FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

相反，我希望它列出所有属于每个文件夹的管理员/用户权限的用户，并且

Instead I want it to list all users belonging to Administrators/Users with their permission for each folder and discard the group.

另外，如何将Convert-Path添加到select path语句中，以便p显示的只是C：\Test？

Also how can I add Convert-Path to the select path statement so that path displayed is only C:\Test?

谢谢！

推荐答案

我无法通过链接发布和/或PowerShell Access Control模块来解决它，但仍然只有组。因此，最终我可以通过结合其他各种有用的帖子获得所需的信息，例如：

I wasn't able to solve it with linked post and/or the PowerShell Access Control module, still only got groups. So in the end I was able to get the info I wanted with a combination of different other helpful posts like:

PowerShell脚本返回多个安全组的成员

列出用户名中的用户详细信息

扩展我的原始问题，包括我想要的最终结果，这就是我的做法。它不是很漂亮（即使重复一小部分代码），也可能将大部分内容放在一行中，但是仅凭我自己的可读性，这种方式还是有道理的。另外，由于发现了有用的信息，我也省略了组的丢弃。

Expanding on my original question and including the final result I wanted, this is how I did it. It's not beautiful (even repeats small portion of code) and big parts could probably be put in one line, but for my own readability alone it kinda makes sense this way. Also I omitted the discard of group, since I found the information useful.

$queryPath = "C:\Test"
$targetFile = "C:\Test.csv"

$Table = @()

$Record = [ordered]@{
    "Path" = ""
    "IdentityReference" = ""
    "Class" = ""
    "GrpMember" = ""
}

$foldersToQuery = Get-ChildItem $queryPath | Where {$_.PSIsContainer} | select -expandproperty FullName

foreach ($folder in $foldersToQuery) {
    $Record.Path = $folder
    $permissions = Get-Acl $folder | select -expandproperty Access

    foreach ($permission in $permissions) {
        [string]$id = $permission.IdentityReference
        $SamAccountName = $id.Split('\')[1]
        $ADObject = Get-ADObject -Filter ('SamAccountName -eq "{0}"' -f $SamAccountName) }
        $Record.IdentityReference = $permission.IdentityReference.ToString()

        switch ($ADObject.ObjectClass) {
            'user' {
                $Record.Class = $ADObject.ObjectClass
                $Record.GrpMember = ""
                $objRecord = New-Object PSObject -property $Record
                $Table += $objrecord
            }
            'group' {
                $Record.Class = $ADObject.ObjectClass
                $members = Get-ADGroupMember $SamAccountName }

                foreach ($member in $members) {
                    $Record.GrpMember = $member.name
                    $objRecord = New-Object PSObject -property $Record
                    $Table += $objrecord
                }
            }
        }
    }
}
$Table | export-csv $targetFile -NoTypeInformation -Encoding UTF8

格式化后返回这样的表格

这篇关于PowerShell Get-Acl-获取成员而不是组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！