List of permissions for a folder and it's subfolder

Question

I am using PowerShell on Windows 7. I have the following code snippet and wanted to know

Why am I not getting the SID to translate to a friendly username (on the domain)?

$OutFile = "I:\Permissions.csv"
$RootPath = "K:\FolderName"

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders)
{
    $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
    Foreach ($ACL in $ACLs)
    {

        $objSID = New-Object System.Security.Principal.SecurityIdentifier($ACL.IdentityReference.Value) 
        #$objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 
        $objUser = $objSID.Translate([System.Security.Principal.SecurityIdentifier])
        $objUser.Value


        #Show User
        Write-Host “`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n” -f “Red”

        $OutInfo = $Folder.Fullname + "," + $objUser.Value  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
        Add-Content -Value $OutInfo -Path $OutFile
    }
}

Desired Output would be the SAM account name. (not the Display Name)

John.Smith1
John.Smith

Answer 1

IdentityReference is a SecurityIdentifier -object or NTAccount -object, not the SID-value as a string, which is what you would need for the SecurityIdentifier constructor. If you need to access the SID as a string, you need to access $ACL.IdentityReference.Value .

Try this:

$RootPath = "K:\FolderName"
#Define $OutFile
#Define $Dname

$Folders = dir $RootPath | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders)
{
    $ACLs = get-acl $Folder.fullname

    $ACLs.Access | ForEach-Object { 
        $ACL = $_

        #IdentityReference may already be a SID- or a NTAccount-object. 
        #Get SID-object
        $objSID = $ACL.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
        #Translate to NTAccount-object
        $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 

        #Show User
        Write-Host "`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n" -f "Red"

        $OutInfo = $Folder.Fullname + "," + $DName.Value  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
        Add-Content -Value $OutInfo -Path $OutFile
    }
}

Answer 2

You can use a fairly simple ADSI lookup to pull the user's distinguishedname. Try this out:

$DName = ([adsi]"LDAP://<SID=$($ACL.IdentityReference.value)>").distinguishedName

$DName should now contain a string with something like 'CN=JSmith,OU=Users,DC=something,DC=com'

To just get the user's name from that you can split the string a couple times since it is = and , delimited:

$strUser = $dname.split("=")[1].split(",")[0]

Answer 3

To translate a SID String to an NTAccount:

$exampleSidString = 'S-1-5-21-768745588-123456789-987654321-500'
$objSID = New-Object System.Security.Principal.SecurityIdentifier $exampleSidString
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value

However, if you already have an Identity Reference (of which both SecurityIdentifier and NTAccount are subclasses), you can go straight to the transate function:

$objUser = $ACL.IdentityReference.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value

Check this link out for more information