Find which folders a user has access to using Get-Acl and PowerShell

This one-liner will retrieve list folders that a specific user has access to. More specifically, it will list folders where a user has an entry in the Access Control List.

Because some of the lines are very long, you can use ‘View source’ when hovering over the code to see it on one line.

It has been tested on Windows 7 64-bit but should work on all versions of Windows compatible with PowerShell and .NET.

The one-liner is under the heading To Use but first we’ll look at the components parts to help us understand how it works.

Using Get-ChildItem, Get-Acl and Read-Host

Get-ChildItem produces a list of items (files and folders) to check. It is filtered to return of a list of containers (folders) only. To see an example in action, triple-click the desired line, copy it to the clipboard and right-click a PowerShell window to paste and run it.

# List all files and folders in current location
Get-ChildItem
# List all folders in current location
Get-ChildItem | where {$_.PSIsContainer}
# List all files and folders in current location and every sub-folder
Get-ChildItem -recurse
# List all folders in current location and every sub-folder
Get-ChildItem -recurse | where {$_.PSIsContainer}
# List all folders in sub-folders one level deep (this does not list folders in the current location, only sub-folders one level deep)
Get-ChildItem  | where {$_.PSIsContainer} | Get-ChildItem | where {$_.PSIsContainer}

Get-Acl retrieves the security descriptor of a file or resource. To see if a user is listed under the Access section, we compare the user’s Security Identifier (SID) with the Security Descriptor Definition Language (SDDL) section. To see an example in action, triple-click the desired line, copy it to the clipboard and right-click a PowerShell window to paste and run it.

# Format-List shows the complete security descriptor
# List security descriptors of all files and folders in current location
Get-ChildItem | Get-Acl | Format-List
# List security descriptors of all folders in current location
Get-ChildItem | where {$_.PSIsContainer} | Get-Acl | Format-List

Read-Host gets data from the user (in this case, a user name) and then we need to convert the user name into a Security Identifier (SID). To do that, please read the article Retrieving a user’s SID (Security Identifier) using PowerShell. To see an example in action, triple-click the desired line, copy it to the clipboard and right-click a PowerShell window to paste and run it.

# Prompt the user for data
Read-Host "User name?"
# Prompt the user for data and remember it in variable $UserName
$UserName = Read-Host "User name?"
# Display the contents of the variable $UserName
$UserName

To use

  • To get this into PowerShell, triple-click the line, copy it to the clipboard and right-click inside your PowerShell window to paste and run it.
  • Enter the user name you wish to look for.
    • The user name is not case-sensitive.
# List all folders and sub-folders that a user has access to in the current location
$UserName = Read-Host "User name?" ; Get-ChildItem -recurse | where {$_.PSIsContainer} | get-acl | where {$_.SDDL -match (New-Object System.Security.Principal.NTAccount($UserName)).Translate([System.Security.Principal.SecurityIdentifier]).Value}
Advertisements

One thought on “Find which folders a user has access to using Get-Acl and PowerShell

  1. I used to be suggested this blog via my cousin. I’m not sure
    whether this put up is written via him as no one else recognise such special
    approximately my trouble. You’re amazing! Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s