Audit Share Permissions PowerShell Script

Posted: 02/05/2011 in File Server Administration, PowerShell

This month I find myself in the need for a quick way to do a simple audit on share permissions on a bunch of files servers. As always I wanted to use PowerShell Remoting (with the code executing on the local server) to accomplish this as enumerating shares is a slow process at the best of times and over the wire this would have been painfully slow.

Before writing a script I always see if anyone has done this already and in this case yes, I stumbled upon http://www.peetersonline.nl/index.php/powershell/listing-share-permissions-for-remote-shares

The only thing missing for my requirements was the need to have both the share name and server name adding to the object, this obviously is very minor and only required a couple of alterations, for example:

function Get-SharePermissions
{
	param([string]$computername,[string]$sharename)
	$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computername
	ForEach ($ShareS in ($ShareSec | Where {$_.Name -eq $sharename}))
	{
		$SecurityDescriptor = $ShareS.GetSecurityDescriptor()
		$Global:myCol = @()
		ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
		{
			$myObj = "" | Select ID, AccessMask, AceType
			$myObj.ID = $DACL.Trustee.Name
			$myObj | Add-Member -MemberType NoteProperty -Name Server -Value $computername
			$myObj | Add-Member -MemberType NoteProperty -Name Share -Value $sharename
			Switch ($DACL.AccessMask)
			{
				2032127 {$AccessMask = "FullControl"}
				1179785 {$AccessMask = "Read"}
				1180063 {$AccessMask = "Read, Write"}
				1179817 {$AccessMask = "ReadAndExecute"}
				-1610612736 {$AccessMask = "ReadAndExecuteExtended"}
				1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
				1180095 {$AccessMask = "ReadAndExecute, Write"}
				268435456 {$AccessMask = "FullControl (Sub Only)"}
				default {$AccessMask = $DACL.AccessMask}
			}
			$myObj.AccessMask = $AccessMask
			Switch ($DACL.AceType)
			{
				0 {$AceType = "Allow"}
				1 {$AceType = "Deny"}
				2 {$AceType = "Audit"}
			}
			$myObj.AceType = $AceType
			Clear-Variable AccessMask -ErrorAction SilentlyContinue
			Clear-Variable AceType -ErrorAction SilentlyContinue
			$myCol += $myObj
		}
	}
	Return $myCol
}

Get-SharePermissions -computername $ENV:COMPUTERNAME -sharename $args[0]

Like previous post on my blog I will use PowerShell remoting with a variable for the Servers ($allServers) and having saved the above code (C:\Scripts\Get-SharePermissions.ps1):


icm $allServers -FilePath C:\Scripts\Get-SharePermissions.ps1 -ArgumentList Wallpaper$

And the results:

Thanks for reading and I hope you find this useful. Also special thanks to the orginal author of this excellent script Hugo Peeters @ http://www.peetersonline.nl/

Regards,

jfrmilner

Advertisements
Comments
  1. Jon says:

    The peetersonline domain is no longer up and running, it would appear!

  2. whitzend00 says:

    Would there be a way to run this on a single computer and have it automatically detect each share?

  3. MiniAdmin says:

    Hi Jason, great script. Thank you for sharing.
    I had this error, running your script on Windows Server 2012:
    Method invocation failed because [System.Management.Automation.PSObject] doesn’t contain a method named ‘op_Addition’.

    Adding this:
    line 5: $myCol = @()

    …solves the problem.

  4. Kerem TAŞLIEL says:

    Hi, I ‘m using both your scripts get-myshare AND permissions to take all NAS Shares with permissions but I couldn’t make them work together.

    So I’m firstly taking the list of shares with Get-MyShare
    Get-MyShares bos2-nassvr | select __SERVER, Caption

    and than I’m proccessing in excel than I’m taking permission lists one by one to csv file.

    But I was wandering is there any way to add Server Name and Share name to permission list.

    OR it would be perfect to make such script wich takes all share names and log their permissions in csv file. Most of people needs such script because of security reasonsI tried to combine your scripts but I couldn’t :(

  5. Kerem TAŞLIEL says:

    Thanks for functions, with your two function I made a basic script to take data from all servers

    https://yadi.sk/d/zlktcz0Y388fX7

    For who need such thing I upload in yandex disk, sory it is a bit Turkish.

    basicly I’m writing list of my servers (ip or FQDN) in a text file “SunucuListesi.txt” and running the script with powershell. After script runs result file SunucPaylasimlari 2016-12-30__09-29.csv” will appear.

    suprisingly Windows PS Export-CSV command doesn’t have “-append” option, thanks to another scripter I found another function for it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s