This month I find myself in the need for a quick way to do a simple audit on share permissions on a bunch of files servers. As always I wanted to use PowerShell Remoting (with the code executing on the local server) to accomplish this as enumerating shares is a slow process at the best of times and over the wire this would have been painfully slow.
Before writing a script I always see if anyone has done this already and in this case yes, I stumbled upon http://www.peetersonline.nl/index.php/powershell/listing-share-permissions-for-remote-shares
The only thing missing for my requirements was the need to have both the share name and server name adding to the object, this obviously is very minor and only required a couple of alterations, for example:
function Get-SharePermissions { param([string]$computername,[string]$sharename) $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computername ForEach ($ShareS in ($ShareSec | Where {$_.Name -eq $sharename})) { $SecurityDescriptor = $ShareS.GetSecurityDescriptor() $Global:myCol = @() ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL) { $myObj = "" | Select ID, AccessMask, AceType $myObj.ID = $DACL.Trustee.Name $myObj | Add-Member -MemberType NoteProperty -Name Server -Value $computername $myObj | Add-Member -MemberType NoteProperty -Name Share -Value $sharename Switch ($DACL.AccessMask) { 2032127 {$AccessMask = "FullControl"} 1179785 {$AccessMask = "Read"} 1180063 {$AccessMask = "Read, Write"} 1179817 {$AccessMask = "ReadAndExecute"} -1610612736 {$AccessMask = "ReadAndExecuteExtended"} 1245631 {$AccessMask = "ReadAndExecute, Modify, Write"} 1180095 {$AccessMask = "ReadAndExecute, Write"} 268435456 {$AccessMask = "FullControl (Sub Only)"} default {$AccessMask = $DACL.AccessMask} } $myObj.AccessMask = $AccessMask Switch ($DACL.AceType) { 0 {$AceType = "Allow"} 1 {$AceType = "Deny"} 2 {$AceType = "Audit"} } $myObj.AceType = $AceType Clear-Variable AccessMask -ErrorAction SilentlyContinue Clear-Variable AceType -ErrorAction SilentlyContinue $myCol += $myObj } } Return $myCol } Get-SharePermissions -computername $ENV:COMPUTERNAME -sharename $args[0]
Like previous post on my blog I will use PowerShell remoting with a variable for the Servers ($allServers) and having saved the above code (C:\Scripts\Get-SharePermissions.ps1):
icm $allServers -FilePath C:\Scripts\Get-SharePermissions.ps1 -ArgumentList Wallpaper$
And the results:
Thanks for reading and I hope you find this useful. Also special thanks to the orginal author of this excellent script Hugo Peeters @ http://www.peetersonline.nl/
Regards,
jfrmilner
The peetersonline domain is no longer up and running, it would appear!
Shame, lets hope its only temporary.
Would there be a way to run this on a single computer and have it automatically detect each share?
Yes
Hi Jason, great script. Thank you for sharing.
I had this error, running your script on Windows Server 2012:
Method invocation failed because [System.Management.Automation.PSObject] doesn’t contain a method named ‘op_Addition’.
Adding this:
line 5: $myCol = @()
…solves the problem.
Hi, I ‘m using both your scripts get-myshare AND permissions to take all NAS Shares with permissions but I couldn’t make them work together.
So I’m firstly taking the list of shares with Get-MyShare
Get-MyShares bos2-nassvr | select __SERVER, Caption
and than I’m proccessing in excel than I’m taking permission lists one by one to csv file.
But I was wandering is there any way to add Server Name and Share name to permission list.
OR it would be perfect to make such script wich takes all share names and log their permissions in csv file. Most of people needs such script because of security reasonsI tried to combine your scripts but I couldn’t :(
Thanks for functions, with your two function I made a basic script to take data from all servers
https://yadi.sk/d/zlktcz0Y388fX7
For who need such thing I upload in yandex disk, sory it is a bit Turkish.
basicly I’m writing list of my servers (ip or FQDN) in a text file “SunucuListesi.txt” and running the script with powershell. After script runs result file SunucPaylasimlari 2016-12-30__09-29.csv” will appear.
suprisingly Windows PS Export-CSV command doesn’t have “-append” option, thanks to another scripter I found another function for it.
bunun bir videosunu yapsanız süper olurdu.benim gibi powershell bilmeyenler adım adım takip ederek yararlanabilirdi :(