Exporting ACLs and SMB Share permissions to a CSV

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Vandrey Trindade Vandrey Trindade 1 year, 1 month ago.

  • Author
  • #29779
    Profile photo of Vandrey Trindade
    Vandrey Trindade


    Does anyone knows/has a script that exports user/groups NTFS permissions of files and folders and SMB share permissions?
    Trying to audit my file server...

  • #29789
    Profile photo of Rohn Edwards
    Rohn Edwards

    NTFS is pretty easy out of the box:

    dir C:\folder -Recurse | ForEach-Object {
        # Try/catch here would let you save the path to files/folders that you can't view...
        $_ | Get-Acl | select @{N="Path"; E={Convert-Path $_.Path}} -ExpandProperty Access
    } | Export-Csv C:\ntfs_perms.csv -NoTypeInformation

    Unfortunately, you'll probably want to wrap Get-Acl in a ForEach-Object block like that in case you encounter any files or folders whose permissions you can't view (it throws terminating errors and doesn't honor the -ErrorAction and -ErrorVariable common parameters.

    If you don't mind using third party tools, you could check out this module that I created (GitHub here). Using version 4.0, you could do something like this:

    dir C:\folder -Recurse | 
        Get-PacAccessControlEntry -ErrorVariable GetAceErrors | 
        Export-Csv C:\ntfs_perms_2.csv -NoTypeInformation

    Then, you can check $GetAceErrors to get a list of problem files/folders. If you can run the command as an admin, you can actually leverage the SeBackupPrivilege to ignore the ACLs completely so you don't have to worry about access denied errors:

    dir C:\folder -Recurse | 
        Get-PacAccessControlEntry -PacSDOption (New-PacSDOption -BypassAclCheck) | 
        Export-Csv C:\ntfs_perms_3.csv -NoTypeInformation

    Share permissions are a little bit tougher out of the box. It can be done, but it's not going to be as short and pretty as the NTFS permissions were. What version of Windows will you be trying to get the share permissions on?

    If you don't mind using the module from above, you can get the share permissions pretty much the same as you did for the NTFS permissions. Any of these commands should do the trick:

    Get-SmbShare | Get-PacAccessControlEntry
    Get-WmiObject Win32_Share -ComputerName server | Get-PacAccessControlEntry
    Get-CimInstance Win32_LogicalShareSecuritySetting | Get-PacAccessControlEntry
    Get-PacAccessControlEntry \\server\share -PacSDOption (New-PacSDOption -ObjectType LMShare)
  • #29828
    Profile photo of Vandrey Trindade
    Vandrey Trindade

    Rohn Edwards ,

    I'm using it on Windows 7 and Windows Server 2008 R2 =/

    I'll use this script found on TechNet Gallery to get network shares permissions:

    function Get-SharedPermissions{
    $Shares = Get-WmiObject -Class Win32_Share -ComputerName $Computer | select -ExpandProperty Name

    foreach ($Share in $Shares){
    $ACL = $Null
    Write-Host $Share -ForegroundColor Green
    Write-Host $('-' * $Share.Length) -ForegroundColor Green
    $objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$Share'" -ComputerName $Computer
    $SD = $objShareSec.GetSecurityDescriptor().Descriptor
    foreach($ACE in $SD.DACL){
    $UserName = $ACE.Trustee.Name
    if ($ACE.Trustee.Domain -ne $Null) {$UserName = "$($ACE.Trustee.Domain)\$UserName"}
    if ($ACE.Trustee.Name -eq $Null) {$UserName = $ACE.Trustee.SIDString }
    [Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ACE.AccessMask, $ACE.AceType)
    Write-Host "Unable to obtain permissions for $Share"
    $ACL | select IdentityReference,IsInherited,FileSystemRights
    Write-Host $('=' * 50)

You must be logged in to reply to this topic.