NTFS Security - separating ADUsers from ADGroups

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Wren Wren 2 weeks ago.

  • Author
    Posts
  • #58385
    Profile photo of Wren
    Wren
    Participant

    I'm working on a script that audits the NTFS security of a file server share, looks only at Explicit security, and returns a list using a reader-friendly name and permissions. Unfortunately, AD Users and AD Groups can both be assigned to NTFS security (preferably AD Groups). So when I pull the results and convert the account names (\\SOMEDOMAIN\ADUSER) to a Friendly Name (ADUSER.FirstName ADUSER.LastName) Groups are ignored. Is there some Powershell code I could incorporate to retrieve the group memberships and list the users along with their permissions?

    For this script I'm using the NTFSSecurity Module:

    #This script creates a custom object from the NTFS Security on a File Share
    #Only individual AD Users will be listed in the resulting csv file
    $path=Read-Host "Enter UNC or local folder path"
    $perms=Get-Item "$path" | Get-NTFSAccess -ExcludeInherited | ForEach{
    New-Object PSObject -Property @{
    Account=$_.Account;
    FriendlyName=$(Get-ADUser -Identity $(($_.Account -split "SOMEDOMAIN\\")[1])).Name;
    Access=$_.AccessRights
    }
    }
    $perms | Where-Object FriendlyName -ne $null | Select-Object FriendlyName,Access | Export-Csv "C:\temp\NTFSPerms.csv"

  • #58388
    Profile photo of Olaf Soyk
    Olaf Soyk
    Participant

    First of all, could you please format your code as code? One of the first 3 posts in this forum tell you how.

    Did you try Get-ACL? Did you search for? Probably there already have been someone with a similar task: Microsoft Technet Script Gallery or Microsoft Powershell Forum

  • #58414
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    Get-NTFSAccess resulting object have AccountType property. just use it

    for retrieving group info you could use Get-ADGroup

  • #58480
    Profile photo of Wren
    Wren
    Participant

    Thanks for the feedback. I am still getting used to using this forum and programming in PowerShell. Below is the solution I worked out.

    #Sets the default error action state to supress console error messages
    $ErrorActionPreference='silentlycontinue'
    #input the path to be audited
    $script:path=Read-Host "Enter UNC or local folder path"
    #Confirms the path is valid to continue
    IF (!$(Test-Path -LiteralPath $script:path)){Write-Output "Invalid path.";break}
    #Return NTFS access results into a new object
    $perms=Get-Item "$script:path" | Get-NTFSAccess -ExcludeInherited | ForEach{
        New-Object PSObject -Property @{
            Account=$_.Account;
            FriendlyName=$(($_.Account -split "SOMEDOMAIN\\")[1]);
            Access=$_.AccessRights
        }
    }
    #Translates the results into Reader-friendly format
    $results= $perms | Where-Object FriendlyName -ne $null | ForEach {
        New-Object PSObject -Property @{
        Name=$(
               If(!$(Get-ADUser "$($_.FriendlyName)")) {$(Get-ADGroupMember "$($_.FriendlyName)" -Recursive).Name
               }
               Else {$(Get-ADUser "$($_.FriendlyName)").Name
               }
        );
        Access=$_.Access
        }
    }
    #Exports the results as a csv file
    $results | Select-Object @{n="Name";e={($_.Name | Out-String).Trim()}},Access | Export-CSV C:\Temp\NTFSPerms.csv

You must be logged in to reply to this topic.