Author Posts

September 15, 2015 at 10:40 am

Hi,

Does anyone knows/has a script that exports user/groups NTFS permissions of files and folders and SMB share permissions?
Trying to audit my file server...

September 15, 2015 at 7:37 pm

NTFS is pretty easy out of the box:

dir C:\folder -Recurse | ForEach-Object {
    # Try/catch here would let you save the path to files/folders that you can't view...
    $_ | Get-Acl | select @{N="Path"; E={Convert-Path $_.Path}} -ExpandProperty Access
} | Export-Csv C:\ntfs_perms.csv -NoTypeInformation

Unfortunately, you'll probably want to wrap Get-Acl in a ForEach-Object block like that in case you encounter any files or folders whose permissions you can't view (it throws terminating errors and doesn't honor the -ErrorAction and -ErrorVariable common parameters.

If you don't mind using third party tools, you could check out this module that I created (GitHub here). Using version 4.0, you could do something like this:

dir C:\folder -Recurse | 
    Get-PacAccessControlEntry -ErrorVariable GetAceErrors | 
    Export-Csv C:\ntfs_perms_2.csv -NoTypeInformation

Then, you can check $GetAceErrors to get a list of problem files/folders. If you can run the command as an admin, you can actually leverage the SeBackupPrivilege to ignore the ACLs completely so you don't have to worry about access denied errors:

dir C:\folder -Recurse | 
    Get-PacAccessControlEntry -PacSDOption (New-PacSDOption -BypassAclCheck) | 
    Export-Csv C:\ntfs_perms_3.csv -NoTypeInformation

Share permissions are a little bit tougher out of the box. It can be done, but it's not going to be as short and pretty as the NTFS permissions were. What version of Windows will you be trying to get the share permissions on?

If you don't mind using the module from above, you can get the share permissions pretty much the same as you did for the NTFS permissions. Any of these commands should do the trick:

Get-SmbShare | Get-PacAccessControlEntry
Get-WmiObject Win32_Share -ComputerName server | Get-PacAccessControlEntry
Get-CimInstance Win32_LogicalShareSecuritySetting | Get-PacAccessControlEntry
Get-PacAccessControlEntry \\server\share -PacSDOption (New-PacSDOption -ObjectType LMShare)

September 16, 2015 at 8:46 am

Rohn Edwards ,

Thanks!
I'm using it on Windows 7 and Windows Server 2008 R2 =/

I'll use this script found on TechNet Gallery to get network shares permissions:


function Get-SharedPermissions{
$Shares = Get-WmiObject -Class Win32_Share -ComputerName $Computer | select -ExpandProperty Name

foreach ($Share in $Shares){
$ACL = $Null
Write-Host $Share -ForegroundColor Green
Write-Host $('-' * $Share.Length) -ForegroundColor Green
$objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$Share'" -ComputerName $Computer
Try{
$SD = $objShareSec.GetSecurityDescriptor().Descriptor
foreach($ACE in $SD.DACL){
$UserName = $ACE.Trustee.Name
if ($ACE.Trustee.Domain -ne $Null) {$UserName = "$($ACE.Trustee.Domain)\$UserName"}
if ($ACE.Trustee.Name -eq $Null) {$UserName = $ACE.Trustee.SIDString }
[Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ACE.AccessMask, $ACE.AceType)
}
}
Catch{
Write-Host "Unable to obtain permissions for $Share"
}
$ACL | select IdentityReference,IsInherited,FileSystemRights
Write-Host $('=' * 50)
}
}