This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 36%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
The Following script generate a breakdown of access and inheritance (true.false)
I want to modify the script to add a column representing whether the access level is a user or a group?
$Results = @()
Foreach ($Folder in $AllFolders) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access) {
if ($Access.IdentityReference -notlike "BUILTIN\Administrators" -and $Access.IdentityReference -notlike "domain\Domain Admins" -and $Access.IdentityReference -notlike "CREATOR OWNER" -and $access.IdentityReference -notlike "NT AUTHORITY\SYSTEM") {
$Access.IdentityReference
$Properties = [ordered]@{'FolderName'=$Folder.FullName;'AD Group'=$Access.IdentityReference; 'NameIs'=$Access.Name; 'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Results += New-Object -TypeName PSObject -Property $Properties
}
}
}
$Results | Export-Csv -path "C:\Temp\ACL-Report.csv"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
If you're going to post code, please use the "Code Sample" editor to do so. It's the icon 5th from the left on the format bar (the icon looks like a binary value "101 010").
The normal text editor munges the code. It modifies certain character sequences, alters the presentation of lines of data (e.g. "bolds" them and changes the font size), and makes it difficult to separate the narrative text from the code in a post.
Assuming the IdentityReference property refers only to Active Directory object, use Get-ADObject to retrieve the object and use either objectClass or objectCategory to determine what they are. You may want to use both, though. There are objects in the AD (like a computer account) that have an objectClass of "User" and an objectCategory of "Computer". If you need that level of distinction, it'd probably be better to report them both to avoid surprises.
If, on the other hand, you have LOCAL users in the ACL then if you fail to find the object in the AD you have to use Get-LocalUser and Get-LocalGroup in addition to Get-ADObject to report the type.