1. Information

  • Note: The PowerShell Get-ChildItem cmdlet -Depth parameter is only available in PowerShell 5.0 and later.

  • Note: The Powershell Get-ADGroupMember cmdlet is part of the Active Directory PowerShell module that comes with RSAT.

  • Note: The Powershell Get-ADPrincipalGroupMembership cmdlet is part of the Active Directory PowerShell module that comes with RSAT.

2. Show NTFS permissions

  • Enter the following commands at a Command Line.

rem Connect to the Teams$ share.
net use T: \\SMRU-SRV\Teams$ /Persistent:No
rem Type "SMRU\ADadmin" for the user name.
rem Type the password.

  • Enter the following commands at a PowerShell Command Prompt.

    Get-ChildItem -Depth 0 -Directory -Path "T:\Laboratory" -Recurse |
    Get-Acl |
    Where-Object { $_.AccessToString -notmatch "ADadmin_group Allow  FullControl" }

Get-ChildItem -Depth 1 -Directory -ErrorAction SilentlyContinue -Path "T:\" -Recurse |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Get-Acl |
    Where-Object { $_.AccessToString -notmatch "ADadmin_group Allow  FullControl" }

Get-ChildItem -Depth 1 -Directory -ErrorAction SilentlyContinue -Path "T:\" -Recurse |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Foreach-Object {
        Try { $Folder = $_.FullName; Get-Acl $_.FullName }
        Catch { Write-Host -ForegroundColor Magenta "Failed to check: $Folder" }
    } | Where-Object { $_.AccessToString -notmatch "ADadmin_group Allow  FullControl" }

  • Find all files and folders that have IT_TB group permissions.

    Get-ChildItem -Depth 4 -ErrorAction SilentlyContinue -Path "T:\" -Recurse |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Foreach-Object {
        Try { $Folder = $_.FullName; Get-Acl $_.FullName }
        Catch { Write-Host -ForegroundColor Magenta "Failed to check: $Folder" }
    } | Where-Object { $_.AccessToString -match "IT_TB" }

Get-ChildItem -ErrorAction SilentlyContinue -Path "T:\TB Program" -Recurse |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Foreach-Object {
        Try { $Folder = $_.FullName; Get-Acl $_.FullName }
        Catch { Write-Host -ForegroundColor Magenta "Failed to check: $Folder" }
    } | Where-Object { $_.AccessToString -match "IT_TB" }

  • Show all NTFS permissions of all files and folders.

    Get-ChildItem -Depth 2 -ErrorAction SilentlyContinue -Path "T:\" -Recurse |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Foreach-Object {
        Try { $Folder = $_.FullName; Get-Acl $_.FullName | Format-List Path, AccessToString }
        Catch { Write-Host -ForegroundColor Magenta "Failed to check: $Folder" }
    } | Out-File acls.txt

  • Show all folders with ntfs permissions assigned to a user.

  • Note: The -Depth parameter is only available in PowerShell 5.0 and later.

    Get-ChildItem -ErrorAction SilentlyContinue -Path "T:\TB Program\IT_TB" -Recurse |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Foreach-Object { $Folder = $_.FullName; $_ } | Get-Acl |
    Select -ExpandProperty Access | Select -ExpandProperty IdentityReference | Split-Path -Leaf |
    ForEach-Object {
        Try { $Group = $_; $_ | Get-ADGroupMember -ErrorAction Stop | Out-Null }
        Catch {
            Write-Host -NoNewLine "$Folder "
            Write-Host -ForegroundColor Magenta $Group
        }
    }

Get-ChildItem -ErrorAction SilentlyContinue -Path "T:\" |
    Where-Object { $_.PsIsContainer -and $_.FullName -notmatch 'AX-SMRU' } |
    Foreach-Object { $Folder = $_.FullName; $_ } | Get-Acl |
    Select -ExpandProperty Access | Select -ExpandProperty IdentityReference | Split-Path -Leaf |
    ForEach-Object {
        Try { $Group = $_; $_ | Get-ADGroupMember -ErrorAction Stop | Out-Null }
        Catch {
            Write-Host -NoNewLine "$Folder "
            Write-Host -ForegroundColor Magenta $Group
        }
    }

3. Show AD group members

  • Log on as SMRU\ADadmin or SMRU\ADuseradmin on your workstation with RDP using 127.0.0.2.

  • Start PowerShell.

  • Right-click the title bar of the Windows PowerShell window and check QuickEdit Mode.

  • Click OK.

  • Enter the following commands at a PowerShell Command Prompt.

    (Get-ADGroupMember "ANCaccess_Grp").Name | Sort
(Get-ADGroupMember "Hematology Department").Name | Sort
(Get-ADGroupMember "Insectary Department").Name | Sort
(Get-ADGroupMember "Laboratory Group").Name | Sort
(Get-ADGroupMember "Malaria Department").Name | Sort
(Get-ADGroupMember "Microbiology lab Department").Name | Sort

  • How to get all groups that a user is a member of?

    Get-ADPrincipalGroupMembership username | select name

4. Copy top level tree structure

Instead of copying a folder and its subfolders with their NTFS permissions, which could be huge and take quite some time to copy, it makes more sense to only copy the first, two or three top level folders only, using Robocopy.

  • Log on as SMRU\ADadmin.

  • Enter the following commands at a Command Line.

    net use T: \\SMRU-SRV\Teams$ /Persistent:No /User:SMRU\ADadmin

  • Enter the following commands at a Command Prompt with administrative privileges.

    net use T: \\SMRU-SRV\Teams$ /Persistent:No /User:SMRU\ADadmin
robocopy.exe <source> <target> /copy:datso /e /lev:1 /s
robocopy.exe T:\Study E:\Study /copy:datso /e /lev:4 /s
rem rmdir /q /s E:\Study

get-ntfspermissions4 -Depth 2 -RootPath E:\Study > C:\Tmp\Study-E.txt
get-ntfspermissions4 -Depth 2 -RootPath T:\Study > C:\Tmp\Study-T.txt