Author Posts

May 16, 2017 at 9:21 am

Hello,

I am new to writing powershell scripts and have been tasked with the following, i understand the layout of the parameters ect for flexibility, but the actual writing i just cant get my head around. if anyone could help me with the below and explain your answer that would be alot of help to me.

i need a powershell script that will check a complete DFS Root,
and report all targets and access based enumeration for each.
I then need the scrip to check all NFTS permissions on all the
targets and list the security groups assigned.
I then need this script to search 4 domains and report on the users in these groups.

May 16, 2017 at 12:57 pm

Happy to try and help, although I can't bang out the whole thing for you. What have you tried? Where are you stuck?

I will tell you that "check all NTFS permissions on all the targets and list the security groups assigned" is going to be a MASSIVE and time-consuming task. Like, you've no idea how long it's going to take to run through all that unless you've got just one or two targets. PowerShell (indeed, Windows' permissions system) wasn't designed for this. That's where there are $$$ commercial tools to do this. You're basically setting out to write your own commercial tool. It might not be your best first choice for your first PowerShell script :).

May 17, 2017 at 2:50 pm

So you are asking us to write it for you?

Here is some kind of a start for you. As Don said going recursively might take heaps of time. I've done some used space calculations against our DFS and it was running for a day or so.

$folder = "c:\path"

#put your domain prefix here
$domain = "domain"

$csv = "$($folder.replace('\','_').replace(':','').replace(' ','')).csv"
$collection = New-Object System.Collections.Generic.List[System.Object]
$PermCollection = New-Object System.Collections.Generic.List[System.Object]

foreach($access in (Get-Acl $FOLDER).Access) {
    $filerights = $access.FileSystemRights.ToString();
    $inheritanceFlg = $access.InheritanceFlags.ToString();
    if($inheritanceFlg -eq 'ContainerInherit') {
        $filerights = $filerights.replace('ReadAndExecute','ListDirectory');
    }
    $output = $access.IdentityReference.ToString() + ';' + $filerights;
    $collection.add($output)
}

$col = $collection | where {$_ -like "$domain*"} 
    foreach ($c in $col) { 
        $ADOC = $c.split(";")[0].split("\")[1]
        $ADOACL = $($c.split(";")[1]) -replace ", Synchronize",""
        $ADO = get-adobject  -filter {CN -eq $ADOC}

        if ($ADO.objectClass -eq "user") {

            $obj = Get-ADUser $($ADO.name) -prop * |
                   select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={"MappedUser"};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"}
            
            $permCollection.add($obj)
            
            }

        if ($ADO.objectClass -eq "group") {

            Get-ADGroupMember -Identity $($ADO.name) -Recursive | 
                            Get-ADUser -prop * |
                                    select samaccountname,givenname,surname,enabled,lastlogondate, @{Expression={$($ADO.name)};Label="PermissionGroup"}, @{Expression={$ADOACL};Label="Permission"} |
                                        foreach {
                                            $permCollection.add($_)
                                            }
            
            }
        

        } 

$permCollection | export-csv $csv -notypeinformation -encoding "UTF8" -Delimiter ";"

""| out-file $csv -Append
"Exact Folder ACL"| out-file $csv -Append
$collection | out-file $csv -Append