Find which folders a user has access to using Get-Acl and PowerShell

This one-liner will retrieve list folders that a specific user has access to. More specifically, it will list folders where a user has an entry in the Access Control List.

Because some of the lines are very long, you can use ‘View source’ when hovering over the code to see it on one line.

It has been tested on Windows 7 64-bit but should work on all versions of Windows compatible with PowerShell and .NET.

The one-liner is under the heading To Use but first we’ll look at the components parts to help us understand how it works.

Using Get-ChildItem, Get-Acl and Read-Host

Get-ChildItem produces a list of items (files and folders) to check. It is filtered to return of a list of containers (folders) only. To see an example in action, triple-click the desired line, copy it to the clipboard and right-click a PowerShell window to paste and run it.

# List all files and folders in current location
Get-ChildItem
# List all folders in current location
Get-ChildItem | where {$_.PSIsContainer}
# List all files and folders in current location and every sub-folder
Get-ChildItem -recurse
# List all folders in current location and every sub-folder
Get-ChildItem -recurse | where {$_.PSIsContainer}
# List all folders in sub-folders one level deep (this does not list folders in the current location, only sub-folders one level deep)
Get-ChildItem  | where {$_.PSIsContainer} | Get-ChildItem | where {$_.PSIsContainer}

Get-Acl retrieves the security descriptor of a file or resource. To see if a user is listed under the Access section, we compare the user’s Security Identifier (SID) with the Security Descriptor Definition Language (SDDL) section. To see an example in action, triple-click the desired line, copy it to the clipboard and right-click a PowerShell window to paste and run it.

# Format-List shows the complete security descriptor
# List security descriptors of all files and folders in current location
Get-ChildItem | Get-Acl | Format-List
# List security descriptors of all folders in current location
Get-ChildItem | where {$_.PSIsContainer} | Get-Acl | Format-List

Read-Host gets data from the user (in this case, a user name) and then we need to convert the user name into a Security Identifier (SID). To do that, please read the article Retrieving a user’s SID (Security Identifier) using PowerShell. To see an example in action, triple-click the desired line, copy it to the clipboard and right-click a PowerShell window to paste and run it.

# Prompt the user for data
Read-Host "User name?"
# Prompt the user for data and remember it in variable $UserName
$UserName = Read-Host "User name?"
# Display the contents of the variable $UserName
$UserName

To use

  • To get this into PowerShell, triple-click the line, copy it to the clipboard and right-click inside your PowerShell window to paste and run it.
  • Enter the user name you wish to look for.
    • The user name is not case-sensitive.
# List all folders and sub-folders that a user has access to in the current location
$UserName = Read-Host "User name?" ; Get-ChildItem -recurse | where {$_.PSIsContainer} | get-acl | where {$_.SDDL -match (New-Object System.Security.Principal.NTAccount($UserName)).Translate([System.Security.Principal.SecurityIdentifier]).Value}

Retrieving a user’s SID (Security Identifier) using PowerShell

This one-liner will retrieve a user’s Security Identifier (SID) using PowerShell. Because it is a long line, you can use ‘View source’ when hovering over the code to see it in full.

It has been tested on Windows 7 64-bit but should work on all versions of Windows compatible with PowerShell and .NET.

There are three versions listed. The first will prompt you for the user name, the second has the user name hard-coded into the line and the third is a function you can add to your PowerShell profile.

Prompt

  • To get this into PowerShell, triple-click the line, copy it the clipboard then right-click inside your PowerShell window to paste and run it.
  • Enter the user name of the account you require the SID of.
    • The user name is not case-sensitive.
# Ask for a user name and get their SID
(New-Object System.Security.Principal.NTAccount(Read-Host "User name?")).Translate([System.Security.Principal.SecurityIdentifier]).Value

Hard-Coded

You can hard-code the user name.

  • To get this into PowerShell, triple-click the line, copy it the clipboard then right-click inside your PowerShell window to paste and run it.
  • Change USERNAME to the user name of the account you require the SID of.
    • The user name is not case-sensitive.
# Get the SID of a specific user
(New-Object System.Security.Principal.NTAccount("USERNAME")).Translate([System.Security.Principal.SecurityIdentifier]).Value

Profile Function

You can add a Get-SID cmdlet to your PowerShell environment.

When this is done, the cmdlet Get-SID will be available. You can then type Get-SID followed by a user name to retrieve their SID, for example, Get-SID Administrator.

The syntax is Get-SID [-UserName] <string>.

  • Edit and / or create your PowerShell profile script and add the function below.
    • The location of the profile is (in PowerShell) $profile. If it does not exist, you will need to create the folder it is in before editing it using the command notepad $profile.
  • Close PowerShell and open it again. The cmdlet Get-SID is now available.
Function Get-SID
         ([Parameter(Mandatory=$true)] [string] $UserName)
{
  (New-Object System.Security.Principal.NTAccount($UserName)).Translate([System.Security.Principal.SecurityIdentifier]).Value
}