NTFSSecurity-Module/NTFSSecurity/AuditCmdlets/Get-OrphanedAudit.cs

using Alphaleonis.Win32.Filesystem;
using Security2;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;

namespace NTFSSecurity.AuditCmdlets
{
    [Cmdlet(VerbsCommon.Get, "NTFSOrphanedAudit")]
    [OutputType(typeof(FileSystemAuditRule2))]
    public class GetOrphanedAudit : GetAudit
    {
        int orphanedSidCount = 0;

        protected override void ProcessRecord()
        {
            IEnumerable<FileSystemAuditRule2> acl;
            FileSystemInfo item = null;

            foreach (var p in paths)
            {
                try
                {
                    item = this.GetFileSystemInfo2(p);
                }
                catch (Exception ex)
                {
                    this.WriteError(new ErrorRecord(ex, "ReadError", ErrorCategory.OpenError, p));
                    continue;
                }

                try
                {
                    acl = FileSystemAuditRule2.GetFileSystemAuditRules(item, !ExcludeExplicit, !ExcludeInherited, getInheritedFrom);

                    var orphanedAces = acl.Where(ace => string.IsNullOrEmpty(ace.Account.AccountName));
                    orphanedSidCount += orphanedAces.Count();

                    this.WriteVerbose(string.Format("Item {0} knows about {1} orphaned SIDs in its ACL", p, orphanedAces.Count()));
                    this.WriteObject(orphanedAces);
                }
                catch (Exception ex)
                {
                    this.WriteWarning(string.Format("Could not read item {0}. The error was: {1}", p, ex.Message));
                }
            }
        }

        protected override void EndProcessing()
        {
            WriteVerbose(string.Format("Total orphaned Access Control Enties: {0}", orphanedSidCount));
            base.EndProcessing();
        }
    }
}