Local Tech Repair: Powershell/LDAP Get DFS Folder managedby Owner

Tuesday, April 28, 2015

Powershell/LDAP Get DFS Folder managedby Owner

One task that can annoy any access provisioner is multiple clicks and copy and pastes to find out what access a folder has and who the owner of the group that provides access to that folder.

And here is a script that will help you speed up that process of gathering ownership of a folder. so that you can get approvals and grant that access faster. 

The script requires a path normally this will be a \\domain.com\dfs\ type of path. 

this script takes in dfs and then it gets the group and then exports the owners of the group
Created by http://localtechrepair.blogspot.com/ Date: 4/28/2015 version: .01 requires the activedirectory module and the ability to do ldap searches please run bellow command to attach the activedirectory module. import-module ActiveDirectory -WarningAction silentlyContinue this script takes in dfs and then it gets the group and then exports the owners of the group
.\folderaccess.ps1 -path \\domain.com\dfs\server\folder

param (
[Parameter( Mandatory=$true)]

#fill out your domain name bellow for variable and DC normally is ".com"
$domainname = "domain"
$dc = ".com"

$groups = get-item $path | get-acl

#uncomment the bellow line if you want inherited to show up and comment out the other one. 
#$groups.Access | ForEach-Object { $_.identityReference.value, $_.FileSystemRights} | ForEach-Object {$_ -replace "$domainname\\"," "}

#filters out inherited groups.
$groups.Access | ForEach-Object {if (!$_.isinherited){ $_.identityReference.value, $_.FileSystemRights}} | ForEach-Object {$_ -replace "$domainname\\"," "} 
$group = read-host "group name?"
$domainname += $dc
#using GC to make it easier to do subdomains on multi domain forests. you can make it LDAP:// to make it faster.
$root = [ADSI]"GC://$domainname"
$search = [adsisearcher]$root
#could spead up search by replacing (objectCategory=group) to something like (sAMAccountType=268435456) which 268435456 being the group_object type.
#This may miss some other types of groups so using objectcatagory will ensure getting all types
$Search.Filter = "(&(sAMAccountType=268435456)(cn=$group))"
$colResults = $Search.FindAll()
#searches for each just in case you have multi domain that have multiple groups per domain with same name.
foreach ($i in $colResults)
#gets distinguished name for the result.
$distinguishedname = [string]$i.Properties.Item('distinguishedName')
#write-output $distinguishedname if you like to get that output for each.
$managedbyuser = [string]$i.Properties.Item('managedBy')
#this searches for (sAMAccountType=805306368) which is the type for normal user. you could use (objectCategory=user) to ensure all users. samaccounttype runs faster.
$Search.Filter = "(&(sAMAccountType=805306368)(distinguishedname=$managedbyuser))"
$colResults = $Search.FindAll()
#prints out each results group name
foreach ($i in $colResults)
write-output "=============================================================="
#cn name
Write-Output $group
#full distinguished name
Write-Output "Distinguised name: $distinguishedname"
#outputs who is the managed by of the group.
write-output "Owner:"
[string]$i.Properties.Item('givenName'),[string]$i.properties.item("sn") , [string]$i.properties.item("samaccountname") -join " "
}# end foreach for managedbyuser results

}# end foreach for group cn search

I hope this helps your front line or access security group speed up the process of their work. 

Thanks for reading
Local Tech Repair Admin