Hi,
I wrote a script I use at work for this sort of thing.
Its process is as follows:
1. Get each subfolder in turn of the Home Folders share.
2. Check if folder name is in a hard-coded list of folders to skip (eg which
includes a quarantine folder in there into which we move an old profile before
it's later deleted).
if ($FolderName -in $FolderSkipList) {
If it's not in there, continue.
3. Get the ACL:
$ACL = $currentFolder.GetAccessControl().Access
4. Parse each ACE:
$ACL | ForEach-Object { $ACE = $_.IdentityReference.Value
5. Skip any ACE in a hardcoded list of standard ACEs -
@('BUILTIN\Administrators','CREATOR OWNER','NT AUTHORITY\SYSTEM')
if ($ACE -notin $StandardACEs) {
6a. Look for an orphaned SID. If found, note folder as being potentially
orphaned.
if ($ACE.Substring(0,5) -eq 'S-1-5') { $OrphanedSID = $True
6b. Otherwise, any valid ACE detected means we should not consider the folder
orphaned. eg The user may have had an account deleted but then a new one made
and assigned the same home folder. So set $OrphanedSID back to $False! This
over-riding of an orphaned SID is flagged up with Write-Verbose.
7. Once all ACEs are parsed, if the folder is still considered orphaned, move
it to the quarantine folder for later manual deletion.
8. If no valid non-skipped ACEs were there at all (eg only System and
Administrators have access) then this is flagged up.
My script also creates an array of valid (non-skipped, non-orphaned) users
assigned to the folder as it parses the ACEs. If it finds more than one, it
flags this up to me too.
I hope the above helps.
Best wishes,
Andrew
> Date: Wed, 22 Apr 2015 14:43:09 -0400
> Subject: [powershell] Listing NTFS permissions of a folder for deleted AD
> users
> From: [email protected]
> To: [email protected]
>
> So we have a file server, whose main function is to hold user home
> folders. Now, when users leave the company, we have a protocol to use
> (disable user in AD; move to special OU; every few months, we delete
> those accounts of ex-employees). What we don't seem to do is do
> anything with the user's home folder. So I end up with folders that
> have ACLs that still point to non-existent SIDs. And I want to
> enumerate these, so I can make a special backup, then delete these
> folders, for space reasons.
>
> I know I can do:
>
> $ACL = Get-ACL <filepath>
> $ACL.Access | Select-Object -ExpandProperty IdentityReference
>
> and it lists just the user/group that has access And one is just a
> SID, of course, because the AD account has been deleted.
>
> So what I need to do is produce a report of all folders that have just
> a bare SID in the ACL. (eventually, we will take ownership of said
> folder, and then move the contents to a special folder; back it up;
> then delete it).
>
> So what would be the best way to do this - get a list of folders with
> a bare SID? Is what I show above a good way (with a WHERE clause,
> etc), or is there a better way?
>
> Thanks
================================================
Did you know you can also post and find answers on PowerShell in the forums?
http://www.myitforum.com/forums/default.asp?catApp=1
