2
0

Add non-inhereted permissiosn also

This commit is contained in:
2026-06-09 08:59:17 +02:00
parent 351b2a038c
commit 9581858954
+26 -16
View File
@@ -1,9 +1,9 @@
<# <#
.SYNOPSIS .SYNOPSIS
Audits a base directory for broken permission inheritance (closed-off folders). Audits a base directory for any form of unique/non-inherited permissions.
.DESCRIPTION .DESCRIPTION
Loops through all subfolders, identifies where inheritance is blocked, Loops through all subfolders, identifies where inheritance is blocked OR
and exports an inventory to a CSV with a timestamped filename. where explicit, non-inherited permissions exist, and exports them to a CSV.
.PARAMETER BaseDir .PARAMETER BaseDir
The root directory path you want to scan. The root directory path you want to scan.
.PARAMETER ReportFolder .PARAMETER ReportFolder
@@ -17,12 +17,12 @@ param (
[string]$BaseDir, [string]$BaseDir,
[Parameter(Mandatory = $false, HelpMessage = "Enter the folder path where the report should be saved.")] [Parameter(Mandatory = $false, HelpMessage = "Enter the folder path where the report should be saved.")]
[string]$ReportFolder = "C:\Temp\AuditReports" # Default backup path if not specified [string]$ReportFolder = "C:\Temp\AuditReports"
) )
# Generate timestamped filename (Format: ddMMyyyy-HHmm) # Generate timestamped filename (Format: ddMMyyyy-HHmm)
$TimeStamp = Get-Date -Format "ddMMyyyy-HHmm" $TimeStamp = Get-Date -Format "ddMMyyyy-HHmm"
$ReportName = "Permission_Audit_$TimeStamp.csv" $ReportName = "Non_Inherited_Permission_Audit_$TimeStamp.csv"
$OutputFile = Join-Path -Path $ReportFolder -ChildPath $ReportName $OutputFile = Join-Path -Path $ReportFolder -ChildPath $ReportName
# Verify directories exist # Verify directories exist
@@ -36,9 +36,9 @@ if (-not (Test-Path $ReportFolder)) {
New-Item -ItemType Directory -Path $ReportFolder -Force | Out-Null New-Item -ItemType Directory -Path $ReportFolder -Force | Out-Null
} }
Write-Host "Starting permission audit on: $BaseDir" -ForegroundColor Cyan Write-Host "Starting comprehensive permission audit on: $BaseDir" -ForegroundColor Cyan
Write-Host "Results will be saved to: $OutputFile" -ForegroundColor Cyan Write-Host "Results will be saved to: $OutputFile" -ForegroundColor Cyan
Write-Host "This may take some time depending on the size of the directory tree..." -ForegroundColor Yellow Write-Host "Scanning for blocked inheritance and explicit local permissions..." -ForegroundColor Yellow
# Initialize array to hold results # Initialize array to hold results
$Report = [System.Collections.Generic.List[PSCustomObject]]::new() $Report = [System.Collections.Generic.List[PSCustomObject]]::new()
@@ -54,19 +54,29 @@ foreach ($Folder in $AllFolders) {
# Get Access Control List (ACL) for the folder # Get Access Control List (ACL) for the folder
$Acl = Get-Acl -Path $Folder.FullName $Acl = Get-Acl -Path $Folder.FullName
# Check if inheritance is blocked ($true means it IS protected/blocked) # 1. Check if inheritance is blocked ($true)
if ($Acl.AreAccessRulesProtected) { $IsInheritanceBlocked = $Acl.AreAccessRulesProtected
Write-Host "Found unique permissions: $($Folder.FullName)" -ForegroundColor Magenta
# 2. Look specifically for any access rules applied directly to this folder (IsInherited -eq $false)
$ExplicitRules = $Acl.Access | Where-Object { $_.IsInherited -eq $false }
# If inheritance is blocked OR there are explicit rules present, we need to flag it
if ($IsInheritanceBlocked -or ($ExplicitRules.Count -gt 0)) {
# Extract names of users/groups with explicit access Write-Host "Found unique/non-inherited permissions: $($Folder.FullName)" -ForegroundColor Magenta
$ExplicitAccess = $Acl.Access | Where-Object { $_.IsInherited -eq $false } | ForEach-Object { $_.IdentityReference.Value }
$ExplicitAccessString = $ExplicitAccess -join "; " # Extract names of users/groups with explicit, non-inherited access
$ExplicitAccessString = ($ExplicitRules | ForEach-Object { $_.IdentityReference.Value }) -join "; "
# Determine the type of change for easy sorting in Excel/CSV
$PermissionStatus = if ($IsInheritanceBlocked) { "Inheritance Blocked" } else { "Inheriting but has Explicit Local Rules" }
# Append data to our report object # Append data to our report object
$Report.Add([PSCustomObject]@{ $Report.Add([PSCustomObject]@{
"Folder Name" = $Folder.Name "Folder Name" = $Folder.Name
"Full Path" = $Folder.FullName "Full Path" = $Folder.FullName
"Inheritance Blocked"= $Acl.AreAccessRulesProtected "Permission Status" = $PermissionStatus
"Inheritance Blocked"= $IsInheritanceBlocked
"Explicit Access" = $ExplicitAccessString "Explicit Access" = $ExplicitAccessString
"Last Modified" = $Folder.LastWriteTime "Last Modified" = $Folder.LastWriteTime
}) })
@@ -80,8 +90,8 @@ foreach ($Folder in $AllFolders) {
# Export data to CSV # Export data to CSV
if ($Report.Count -gt 0) { if ($Report.Count -gt 0) {
$Report | Export-Csv -Path $OutputFile -NoTypeInformation -Encoding UTF8 $Report | Export-Csv -Path $OutputFile -NoTypeInformation -Encoding UTF8
Write-Host "`nAudit complete! Found $($Report.Count) folders with unique/closed permissions." -ForegroundColor Green Write-Host "`nAudit complete! Found $($Report.Count) folders with unique/non-inherited permissions." -ForegroundColor Green
Write-Host "Results exported to: $OutputFile" -ForegroundColor Green Write-Host "Results exported to: $OutputFile" -ForegroundColor Green
} else { } else {
Write-Host "`nAudit complete. No folders with blocked inheritance were found." -ForegroundColor Green Write-Host "`nAudit complete. All subfolders are perfectly inheriting permissions." -ForegroundColor Green
} }