Extract NTFS permission ACL for Listed folder path

Short Story: - 
         
           I had received requirement to extract ACL (Permission entries )  information for the given folder paths which was indeed needed for the ACL clean-up project which we were running.

          So, what I did ???

Launch the "POWERSHELL ISE" and started thinking about the requirement. I know we can get the ACl information using "GET-ACL" cmdlet. So, it make easy for me to build a script with that main cmdlet.

 Challenge: 

           One challenge was to extracted information should be in Excel format with path information, ACLs with rights information

Solution: -

           I used the basic for loop method with Get-ACL cmdlet and I have to manipulate the output of cmdlet using Select with hastable customization.

           Since, most of the machine were not running PS version 3.0, I have not used the "Export-csv -append" parameter to append the each folder ACL information to CSV file

          Instead, i have to append information to the Variable and then finally at the end of the loop, Export the output to CSV file using Export-csv cmdlet

Powershell Script: -



<#
.SYNOPSIS
    List the folder permission entries for the given list of folders
   
.SYNTAX
    Script Execution Syntax is provided below. Please don't forgot create the Input file and call the input file during the script execution
   
    How to Execute the Script :
   
    .\ACL_Extract_RootFoldersonly.ps1 -InputFile .\folderlist.txt

     
.DESCRIPTION
   
    . This Script is designed for the requirement to get the list of ACLs in the project root directory for access clean-up purpose.
    . Script only looks for the
     
.PARAMETER
    -Inputfile
        This file should contain folder names each in separate line. If possible include full path or your have to copy the script location the folders are exist
        . This parameter Value is mandatory to be provided while executing the script.
   
    Ex:
    c:\projet\folder1
    c:\projet\folder1
 
     ( or )
   Folder1
   Folder2 


.EXAMPLE

    .\ACL_Extract_RootFoldersonly.ps1 -InputFile .\folderlist.txt


.Notes
   Script is created and tested in test facility. Ready all the information carefully and use in your environment with test users before
   using in Production.
   It works with Powershell Version 2.0

.Modifications
   Script Initially created by : Murugan Natarjaan / murugan.natarajan@outlook.com
   Date of Initial Version     : 04/Apr/2019
 
#>

Param(
   
    $InputFile = '.\folderlist.txt'
   
)

$folders = Get-Content $InputFile

# Loop each folder path and get the ACl information and store in the variable named "output" with append operation, so that it can be simply exported
# to CSV file for our requiremnet for easy view.

Foreach ($folder in $folders){
 
    $output+=Get-Acl $folder | select -ExpandProperty access | select @{label='FolderName';Expression={$folder}},identityreference,filesystemrights
     

}

# Every time the report.csv is replaced with latest content ( No append operation here )

$output | Export-Csv Report.csv -NoTypeInformation

User password expiry date identify ( Even if you have FPP deployed for user )

Short Story about issue: -

           Everyone might be already aware that we can get the basic information user attribute information using "net user" command,

           for example : Net User /dom mnatarajan

Which give useful information like when password last set, when it's expiring and when the password can be changeable all based on the password policy applied.

          I came across an issue that when I query similar information for an user where the specific "Fine-Grained Password policy" is applied, the native tool gives me the information for the "Default domain password policy" instead of FPP policy calculated information.

Solution: -

         To get the password expire date, i have to get few details of user and process to check whether FPP is applied or default password policy is applied and then calculate the password expire date for an user.

PS Script Detail: -


# Identify the Next possible password expire date for user

# Global Parameter defining, you can also execute script like below example
# Example: .\Calc_User_passwordExpiry_Date.ps1 -inputuser 'mnatarajan'
# Created by Murugan Natarajan /DXC
# Mail address: mnatarajan24@dxc.com

    param(
   
    $Inputuser = 'mnatarajan'

    )
   
    # Validate Simple check for user existance in domain, if does not exist, EXIT the script.


    If ((Get-Aduser $inputuser) -eq $null){

        Write-Output "$Inputuser does exist in default domain, validate user name in input"
        EXIT
       
    }
   
   
    # Check if user has FPP setup

    $fppcheck= Get-ADUserResultantPasswordPolicy $Inputuser
       
    # Calling user Password last set attribute

    $passlastset= Get-ADUser $Inputuser -pr passwordlastset | select -ExpandProperty passwordlastset

    # If User is not applied with FPP, then take value of default user password  to variable and compare with user last password set time

        If($fppcheck -eq $null)  {
       
            $DefaultCheck= Get-ADDefaultDomainPasswordPolicy

            $collectMaxpassage= $DefaultCheck.MaxPasswordAge.Days
            $DefaultUserPassExpireson = $passlastset.AddDays($collectMaxpassage)

            Write-Output "Password Expires for $Inputuser on $DefaultUserPassExpireson (Default Domain Password Policy)"

        }
       
        # If FPP is applied for the given user, then taken info from FPP and process with last password set time

        else {
       
            $Fppmaxpassage= $fppcheck.MaxPasswordAge.Days
            $FppuserPassExpire= $passlastset.AddDays($Fppmaxpassage)
            $Fppname = $Fppcheck.name
            Write-Output "Password Expires for $Inputuser on $FppuserPassExpire _FPP-Applied $Fppname"
       
        }