Ignore Default admin groups
This commit is contained in:
@@ -1,9 +1,11 @@
|
|||||||
<#
|
<#
|
||||||
.SYNOPSIS
|
.SYNOPSIS
|
||||||
Audits a base directory for any form of unique/non-inherited permissions.
|
Audits a base directory for any form of unique/non-inherited permissions,
|
||||||
|
ignoring standard built-in administrative groups.
|
||||||
.DESCRIPTION
|
.DESCRIPTION
|
||||||
Loops through all subfolders, identifies where inheritance is blocked OR
|
Loops through all subfolders, identifies where inheritance is blocked OR
|
||||||
where explicit, non-inherited permissions exist, and exports them to a CSV.
|
where explicit, non-inherited permissions exist, and exports them to a CSV.
|
||||||
|
Filters out Built-in Administrators and Domain Admins to reduce noise.
|
||||||
.PARAMETER BaseDir
|
.PARAMETER BaseDir
|
||||||
The root directory path you want to scan.
|
The root directory path you want to scan.
|
||||||
.PARAMETER ReportFolder
|
.PARAMETER ReportFolder
|
||||||
@@ -38,7 +40,7 @@ if (-not (Test-Path $ReportFolder)) {
|
|||||||
|
|
||||||
Write-Host "Starting comprehensive permission audit on: $BaseDir" -ForegroundColor Cyan
|
Write-Host "Starting comprehensive permission audit on: $BaseDir" -ForegroundColor Cyan
|
||||||
Write-Host "Results will be saved to: $OutputFile" -ForegroundColor Cyan
|
Write-Host "Results will be saved to: $OutputFile" -ForegroundColor Cyan
|
||||||
Write-Host "Scanning for blocked inheritance and explicit local permissions..." -ForegroundColor Yellow
|
Write-Host "Scanning for unique permissions (Ignoring Admin/Domain Admin groups)..." -ForegroundColor Yellow
|
||||||
|
|
||||||
# Initialize array to hold results
|
# Initialize array to hold results
|
||||||
$Report = [System.Collections.Generic.List[PSCustomObject]]::new()
|
$Report = [System.Collections.Generic.List[PSCustomObject]]::new()
|
||||||
@@ -57,17 +59,30 @@ foreach ($Folder in $AllFolders) {
|
|||||||
# 1. Check if inheritance is blocked ($true)
|
# 1. Check if inheritance is blocked ($true)
|
||||||
$IsInheritanceBlocked = $Acl.AreAccessRulesProtected
|
$IsInheritanceBlocked = $Acl.AreAccessRulesProtected
|
||||||
|
|
||||||
# 2. Look specifically for any access rules applied directly to this folder (IsInherited -eq $false)
|
# 2. Extract explicit, non-inherited rules, FILTERING OUT standard admin accounts
|
||||||
$ExplicitRules = $Acl.Access | Where-Object { $_.IsInherited -eq $false }
|
# This matches "BUILTIN\Administrators", "NT AUTHORITY\SYSTEM", and any group ending in "Domain Admins"
|
||||||
|
$ExplicitRules = $Acl.Access | Where-Object {
|
||||||
|
$_.IsInherited -eq $false -and
|
||||||
|
$_.IdentityReference.Value -notmatch "BUILTIN\\Administrators" -and
|
||||||
|
$_.IdentityReference.Value -notmatch "Domain Admins" -and
|
||||||
|
$_.IdentityReference.Value -notmatch "NT AUTHORITY\\SYSTEM"
|
||||||
|
}
|
||||||
|
|
||||||
# If inheritance is blocked OR there are explicit rules present, we need to flag it
|
# We flag the folder IF:
|
||||||
|
# - Inheritance is blocked (regardless of rules, because the tree is broken here)
|
||||||
|
# - OR there are meaningful explicit rules left over after filtering out the admins
|
||||||
if ($IsInheritanceBlocked -or ($ExplicitRules.Count -gt 0)) {
|
if ($IsInheritanceBlocked -or ($ExplicitRules.Count -gt 0)) {
|
||||||
|
|
||||||
Write-Host "Found unique/non-inherited permissions: $($Folder.FullName)" -ForegroundColor Magenta
|
# Extract names of remaining users/groups with explicit, non-inherited access
|
||||||
|
|
||||||
# Extract names of users/groups with explicit, non-inherited access
|
|
||||||
$ExplicitAccessString = ($ExplicitRules | ForEach-Object { $_.IdentityReference.Value }) -join "; "
|
$ExplicitAccessString = ($ExplicitRules | ForEach-Object { $_.IdentityReference.Value }) -join "; "
|
||||||
|
|
||||||
|
# If the folder only had Admin rules and inheritance wasn't blocked, skip it
|
||||||
|
if (-not $IsInheritanceBlocked -and [string]::IsNullOrEmpty($ExplicitAccessString)) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Host "Found unique/non-inherited permissions: $($Folder.FullName)" -ForegroundColor Magenta
|
||||||
|
|
||||||
# Determine the type of change for easy sorting in Excel/CSV
|
# Determine the type of change for easy sorting in Excel/CSV
|
||||||
$PermissionStatus = if ($IsInheritanceBlocked) { "Inheritance Blocked" } else { "Inheriting but has Explicit Local Rules" }
|
$PermissionStatus = if ($IsInheritanceBlocked) { "Inheritance Blocked" } else { "Inheriting but has Explicit Local Rules" }
|
||||||
|
|
||||||
@@ -77,7 +92,7 @@ foreach ($Folder in $AllFolders) {
|
|||||||
"Full Path" = $Folder.FullName
|
"Full Path" = $Folder.FullName
|
||||||
"Permission Status" = $PermissionStatus
|
"Permission Status" = $PermissionStatus
|
||||||
"Inheritance Blocked"= $IsInheritanceBlocked
|
"Inheritance Blocked"= $IsInheritanceBlocked
|
||||||
"Explicit Access" = $ExplicitAccessString
|
"Explicit Access" = if ($ExplicitAccessString) { $ExplicitAccessString } else { "Only Admin Groups Present" }
|
||||||
"Last Modified" = $Folder.LastWriteTime
|
"Last Modified" = $Folder.LastWriteTime
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user