How can I get all folders associated with an Active Directory group using powershell or something similar?

Anon

7/31/24, 7:57 PM

At my job we have hundreds of AD groups that we add users to to give them access to folders. For each folder/group of folders we give access to there is supposed to be a read, write, and modify group. A lot of those are missing (some just have one or two out of three).

I want to write a script (or to even know if it is possible) that will get the folders associated with a group so that I can add in the missing ones. There are thousands (maybe 10s of thousands) of subdirectories and files on our shared drives so recursively searching through them for each group is not a good use of my time. Is it realistic to recursively search it once and place each folder(s) and group into a csv? Or is there another language I can use to get this information?

If I have failed to provide anything let me know! I will put my code for adding in the missing groups below

Import-Module ActiveDirectory

$ou1 = "OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted"
$ou2 = "OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted"

foreach ($ou in ($ou1, $ou2)) {
    $groups = Get-ADGroup -Filter * -SearchBase $ou | Sort-Object -Property Name

    foreach ($current in $groups) {
        $groupName = $current.Name
        $suffixes = $groupName -split '_|-'
        $missingGroups = @()

        if (-not ($suffixes -contains 'R')) {
            $missingGroups += $groupName + '-R'
        }
        if (-not ($suffixes -contains 'W')) {
            $missingGroups += $groupName + '-W'
        }
        if (-not ($suffixes -contains 'M')) {
            $missingGroups += $groupName + '-M'
        }

        # Create missing groups here using $missingGroups array

        $missingGroups = @()
    }
}

The basic logic will be to run this to find what groups are missing, get the folders associated with ones that have the same name, and add the read, write, or modify permissions to that new group. Any help is appreciated!

0 + 4

powershell

permissions

active-directory

Pimp Juice IT

8/5/24, 7:51 PM

I think this is possible with powershell but how many levels deep are you setting explicit permissions on your folders. Typically if you go more than 3 or 4 subfolders deep with explicit security you have a bad design in my experience. How many folders deep does the R,W, and M groups need to be checked if you have `L:\Finance\Payroll\FMLA` or `L:\IT\WebServices\ServerA\Scripts\Server Monitoring` and so forth to keep them sort of small but thousands or 10's of thousands and setting security drilled down past 3 or 4 levels spells bad design to correlate workflow, access, etc.

Pimp Juice IT

8/5/24, 7:55 PM

I do understand that some things are beyond control & inherited & not easily re-designable without being a huge undertaking, but starting one department or top level dept. at a time can be useful. It's usually up to dept. directors or managers or sub-departments, etc. to help with the design of folders and security keeping the 3 folders deep to separate security in mind. You can go one more exceptions and outliers but role based security is best using AD groups tied to the roles, etc. as you are doing, but this may warrant dialogue in a meeting with stakeholders in the name of best practices.

Pimp Juice IT

8/5/24, 7:57 PM

So if they design it with more than 3 layers security, it usually means there should be another folder up top somewhere to split out, etc. if that makes sense. I've had to do this for a few companies in my IT career, but getting what you need with PowerShell should be possible but complexity of the logic sort of depends on the layers deep explicitly security groups being set and needing to verify the R, M, or W exist. It'll be a nightmare if you need to go 1000 folders deep and check security to all are you traverse the structure. Let me know your thoughts though, I can maybe still help.

Jan

8/9/24, 8:16 AM

Agree with the points made @PimpJuiceIT . Further can you please explain what you mean with "A lot of those are missing (some just have one or two out of three)." as I do not fully understand your question

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I get all folders associated with an Active Directory group using powershell or something similar?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.