Folder ACL Audit Report

Follow

  

### Import the JAMS module

Import-Module JAMS

###We need to define the default JAMS server name

$JAMSDefaultServer = 'MVPSALES18'

### Where to generate a report

$Report = "C:\Temp\Report.txt"

###We loop through our folder list and we need to specify the object type 'Folder'

###This will return a list of Folders and each ACL and their permissions only if there are ACL's assigned to those folders.

$folderList = Get-ChildItem JAMS::$JAMSDefaultServer\* -objectType Folder -Recurse -IgnorePredefined

$results =

foreach ($sys in $folderList)
{
Write-output "Folder: $($sys.QualifiedName)"
foreach ($ace in $sys.Acl.GenericACL)
{
$accessNames = ""
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Execute) -ne 0)
{
$accessNames = $accessNames + "Execute "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Delete) -ne 0)
{
$accessNames = $accessNames + "Delete "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Control) -ne 0)
{
$accessNames = $accessNames + "Control "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Change) -ne 0)
{
$accessNames = $accessNames + "Change "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Inquire) -ne 0)
{
$accessNames = $accessNames + "Inquire "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::AddJobs) -ne 0)
{
$accessNames = $accessNames + "AddJobs "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::ChangeJobs) -ne 0)
{
$accessNames = $accessNames + "ChangeJobs "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::InquireJobs) -ne 0)
{
$accessNames = $accessNames + "InquireJobs "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::DeleteJobs) -ne 0)
{
$accessNames = $accessNames + "DeleteJobs "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Submit) -ne 0)
{
$accessNames = $accessNames + "Submit "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Debug) -ne 0)
{
$accessNames = $accessNames + "Debug "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Manage) -ne 0)
{
$accessNames = $accessNames + "Manage "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Monitor) -ne 0)
{
$accessNames = $accessNames + "Monitor "
}
if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Abort) -ne 0)
{
$accessNames = $accessNames + "Abort "
}
Write-output " Identifier: $($ace.Identifier)"
Write-output " Access: $($accessNames)"
}
}

$results | out-file $report


  

Have more questions? Submit a request

Comments