How is it possible to list all folders that a particular user/group has permissions on?

Solution 1

Looks like there is no simple tool for this. I ended up going with a combination of getting a report from DumpSec and searching for Devs with FINDSTR.

And yes, I know there are dozens of equally good solutions, but those were the tools I was thinking of when I decided to give up the search for a one-step strategy.

Solution 2

I found a forum entry that may help.

Here is an excerpt:

if (($args.Count) -eq 2) {
 $dir = $args[0]
 if ((Test-Path $dir) -eq $true) {
  $script:FoldersFound = New-Object System.Collections.ArrayList
  $GroupName = $args[1]
  $folders = Get-ChildItem $dir -Recurse | Where-Object {$_.PSIsContainer}

  foreach($folder in $folders) {
   $ACL = Get-Acl -Path $folder.FullName
   foreach($ACE in $ACL.access) {
    if (($ACE.IdentityReference) -like "*\$GroupName") {
     if (($ACE.IsInherited) -eq $false) {
      $FoldersFound.Add($folder.FullName) | Out-Null
      break
     }
    }
   }
  }

  $FoldersFound.Sort()
  foreach($folder in $FoldersFound) {
   Write-Host $folder
  }
 }
} else {
 Write-Host "Syntax:" $MyInvocation.MyCommand.Name """path""" """Group Name"""
}

Save the above code as <filename>.ps1, and run it from the PowerShell prompt with two arguments: "Folder path" followed by "group name."

Example: Navigate to the folder where you saved the script, and type the following, where <filename> is (obviously) the name you gave the file, and substitute the path and group name with your own:

.\<filename>.ps1 "C:\Users" "Administrators"

Now mind you, there is no error handling in the script, so it does not take care of access denied errors or too long path names, for example.

Credit goes to Andreas Hultgren, MCTS, MCITP.

Solution 3

Sysinternals' AccessEnum might help do what you want. It will enumerate the permissions on your directories. It doesn't exactly show whether the permissions are explicit or inherited, but it will show you all directories (and files) whose permissions differ from their parent. This probably gets you the same information. It can also enumerate permissions registry keys in the same manner.

You might also be interested in AccessChk (command line) and ShareEnum (like AccessEnum for your file shares).

Related videos on Youtube

16 : 20

Active Directory Users & Groups with Folder Permissions

mrholverson

152

05 : 52

How to Share Files and Folders with Specific Users in Windows

MyQuickCloud

131

04 : 55

How to Use Group Policy Security Filtering to Apply GPOs to Selected Groups

Must be Noob

58

09 : 07

Active Directory||AD-Users & Groups ||File and Folder Permissions

Navtej Lotey

38

05 : 03

Using Powershell - Get all users and their permissions on folder

microsoft lab

15

Author by

bhaskar

Former Community Manager at Stack Exchange (August 2013-November 2017). My posts from before or after that time period (and, like, a bunch of the ones from during it, too) should not be considered "official" in any way. Joel: I have all these opinions ... and no outlet for them! Josh: Have you tried yelling them at the Internet? Joel: Almost exclusively! And yet problems still persist! -"The Grand Opining", HijiNKS ENSUE, by Joel Watson "On two occasions I have been asked, 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' ... I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -Charles Babbage Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law. -Douglas Hofstadter, Gödel, Escher, Bach: An Eternal Golden Braid

Updated on September 17, 2022