Folder ACL Audit Report

Follow

NOTE: This script was written and is intended for JAMS V7. Scroll down for the JAMS V6 version of the script. 

### Import the JAMS module

Import-Module JAMS

###We need to define the default JAMS server name

$JAMSDefaultServer = 'localhost'

### Where to generate a report

$Report = "C:\Temp\JAMSFolderAuditReport.txt"

###We loop through our folder list and we need to specify the object type 'Folder'

###This will return a list of Folders and each ACL and their permissions only if there are ACL's assigned to those folders.

$folderList = Get-ChildItem JAMS::$JAMSDefaultServer\ -objectType Folder -Recurse -IgnorePredefined -FullObject

$result = "`r`n`t`t`tJAMS Folder Access Security Report"
$result += "`r`n`t`t`t----------------------------------"

foreach ($folder in $folderList){
    
    $sys = Get-Item JAMS::$JAMSDefaultServer$($folder.ParentFolderName)$($folder.QualifiedName)

    $result += "`r`n`r`nFolder: $($sys.QualifiedName)" 
    
    foreach ($ace in $sys.Acl.GenericACL){
        
        $accessNames = ""
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Execute) -ne 0){
            $accessNames = $accessNames + "Execute "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Delete) -ne 0){
            $accessNames = $accessNames + "Delete "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Control) -ne 0){
            $accessNames = $accessNames + "Control "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Change) -ne 0){
            $accessNames = $accessNames + "Change "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Inquire) -ne 0){
            $accessNames = $accessNames + "Inquire "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::AddJobs) -ne 0){
            $accessNames = $accessNames + "AddJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::ChangeJobs) -ne 0){
            $accessNames = $accessNames + "ChangeJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::InquireJobs) -ne 0){
            $accessNames = $accessNames + "InquireJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::DeleteJobs) -ne 0){
            $accessNames = $accessNames + "DeleteJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Submit) -ne 0){
            $accessNames = $accessNames + "Submit "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Debug) -ne 0){
            $accessNames = $accessNames + "Debug "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Manage) -ne 0){
            $accessNames = $accessNames + "Manage "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Monitor) -ne 0){
            $accessNames = $accessNames + "Monitor "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Abort) -ne 0){
            $accessNames = $accessNames + "Abort "
        }

        $result += "`r`n`r`n`tIdentifier: $($ace.Identifier)" 
        $result += "`r`n`tAccess: $($accessNames.Trim() -split " " -join ", ")`r`n" 
    }
} 

$result | out-file $Report

 

NOTE: This script was written and is intended for JAMS V6. 

### Import the JAMS module

Import-Module JAMS

###We need to define the default JAMS server name

$JAMSDefaultServer = 'localhost'

### Where to generate a report

$Report = "C:\Temp\JAMSFolderAuditReport.txt"

###We loop through our folder list and we need to specify the object type 'Folder'

###This will return a list of Folders and each ACL and their permissions only if there are ACL's assigned to those folders.

$folderList = Get-ChildItem JAMS::$JAMSDefaultServer\ -objectType Folder -Recurse -IgnorePredefined

$result = "`r`n`t`t`tJAMS Folder Access Security Report"
$result += "`r`n`t`t`t----------------------------------"

foreach ($sys in $folderList){
    
    $result += "`r`n`r`nFolder: $($sys.QualifiedName)" 
    
    foreach ($ace in $sys.Acl.GenericACL){
        
        $accessNames = ""
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Execute) -ne 0){
            $accessNames = $accessNames + "Execute "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Delete) -ne 0){
            $accessNames = $accessNames + "Delete "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Control) -ne 0){
            $accessNames = $accessNames + "Control "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Change) -ne 0){
            $accessNames = $accessNames + "Change "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Inquire) -ne 0){
            $accessNames = $accessNames + "Inquire "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::AddJobs) -ne 0){
            $accessNames = $accessNames + "AddJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::ChangeJobs) -ne 0){
            $accessNames = $accessNames + "ChangeJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::InquireJobs) -ne 0){
            $accessNames = $accessNames + "InquireJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::DeleteJobs) -ne 0){
            $accessNames = $accessNames + "DeleteJobs "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Submit) -ne 0){
            $accessNames = $accessNames + "Submit "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Debug) -ne 0){
            $accessNames = $accessNames + "Debug "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Manage) -ne 0){
            $accessNames = $accessNames + "Manage "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Monitor) -ne 0){
            $accessNames = $accessNames + "Monitor "
        }
        if (($ace.AccessBits -band [MVPSI.JAMS.FolderAccess]::Abort) -ne 0){
            $accessNames = $accessNames + "Abort "
        }

        $result += "`r`n`r`n`tIdentifier: $($ace.Identifier)" 
        $result += "`r`n`tAccess: $($accessNames.Trim() -split " " -join ", ")`r`n" 
    }
} 

$result | out-file $Report 

 

Have more questions? Submit a request

Comments

  • Avatar
    Sean Mee

    Hi, should we expect this script to work on JAMS v7? When I run it, it enumerates all the folders, but am not seeing any other information returned about which groups have which permissions against the folders.

  • Avatar
    Gennaro Piccolo

    Hello Sean, this script was designed for use with V6.