Had a request from a client recently who needed to find all the files and folders belonging to a particular user. Now, without some sort of third party auditing tool, the only security metadata of use on an NTFS filesystem is the Owner. So, I put together this Powershell script to step through the filesystem, extract the owner information and test whether it’s the owner which the administrator performing the search is looking for.
- #Get top-level file path
- $path = Read-Host "Please enter the top-level path (eg: C:\Temp)"
-
- #Get the owner to be searched for
- $user = Read-Host "Please enter the user to be searched for (eg: DOMAIN\User)"
-
- #Verify path exists
- $testpath = Test-Path $path
-
- if ($testpath -eq 'True'){
- $files = Get-ChildItem $path -Recurse
-
- foreach ($file in $files){
- $owner = Get-Acl $file.FullName
- if ($owner.Owner -eq $user){Write-Host $file.FullName}
- else {}
- }
- }
- else {Write-Host 'Path'$path' cannot be verified, please check and try again'}
As you can see, the script works by calling Get-Childitem to bring up a list of files, folders and subfolders from the nominated top-level folder, and then using Get-Acl to extract the owner information, test whether the owner matches the nominated search criteria, and either return the full path to the console if it does, or move on to the next item if it doesn’t.
Looking at security information is generally quite time-consuming, so for a top-level folder which has a lot of content within it, the script might take quite a while to run. It also may produce a lot of results which aren’t that useful when displayed within the Powershell console, so it would be worth amending the script to output to a CSV. Alternatively, changing the Get-Childitem cmdlet to narrow down the search, perhaps to folders only or files with a specific extension.
