September 30, 2013

PowerShell function to get NTFS permissions on a folder for groups and users recursive

This script is something I’ve been playing with in my head for quite some time now.
Today I found some time to do script this 🙂

So, what are some of the use-cases?

Documentation (project, operational).
Reporting.
Auditing (compare files from today and yesterday and there’s your auditing).

The script requires the Active Directory module to be installed as defined by the line ‘#Requires –Modules ActiveDirectory’.
The output looks something like:

… and when you convert it to an Excel file, where a manager can do some auto-filtering:

Useful, right? 🙂

Here’s the script:

function Get-NTFSPermissions {
    &lt;#
    .SYNOPSIS
    Gets the NTFS rights set on a folder.
    .DESCRIPTION
    Gets the NTFS rights set on a folder and outputs the groups and users (recursive) in those groups.
    The output can be redirected to a CSV or manipulated by using PowerShell cmdlets.
    .PARAMETER ShareName
    This parameter takes the name of the share you want to get the NTFS rights from as input.
    .PARAMETER DomainName
    This parameter takes the NETBIOS name of your domain as input.
    .PARAMETER GroupsOnly
    This parameter is not mandatory and allows you to output only the shares, groups 
    and their respective rights.
    .EXAMPLE
    Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD'

    This example takes the name and path of the share as input, aswell as the NETBIOS name of the domain.
    .EXAMPLE
    Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' | Convertto-CSV | Out-file NTFSRights.csv

    This example takes the name and path of the share as input, aswell as the 
    NETBios name of the domain.     Next the output is converted to CSV and written to a CSV file.
    .EXAMPLE
    Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' -GroupsOnly

    This example takes the name and path of the share as input, aswell as the NETBIOS name of the domain.
    Because the -GroupsOnly parameter is used, only rights for the groups are 
    gathered and not the users inside the groups.
    .NOTES
    AUTHOR    :  Jeff Wouters
    COMPANY   :  Methos
    #&gt;
    #Requires –Modules ActiveDirectory
    [cmdletbinding()]
    param (
        [parameter(mandatory=$true,position=0)]$ShareName,
        [parameter(mandatory=$true,position=1)]$DomainName,
        [parameter(mandatory=$false)][switch]$GroupsOnly
    )
    $Output = @()
    foreach ($Share in $ShareName) {
        $ACLs = Get-Acl -Path $Share
        foreach ($ACL in $ACLs) {
            foreach ($AccessRight in $ACL.Access) {
                $ObjectGroup = New-Object -TypeName PSObject
                $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'DirectoryPath' –Value $Share
                $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'Identity' –Value $AccessRight.IdentityReference
                $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'SystemRights' –Value $AccessRight.FileSystemRights
                $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'SystemRightsType' –Value $AccessRight.AccessControlType
                $ObjectGroup | Add-Member -MemberType NoteProperty -Name 'IsInherited' -Value $AccessRight.IsInherited
                $ObjectGroup | Add-Member -MemberType NoteProperty -Name 'InheritanceFlags' -Value $AccessRight.InheritanceFlags
                $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'RulesProtected' –Value $ACL.AreAccessRulesProtected
                if ($GroupsOnly -eq $true) {
                    $ObjectGroup
                } else {
                    $Groups = $ObjectGroup | Select-Object -ExpandProperty 'Identity'
                    foreach ($Group in $Groups) {
                        if ($Group -like "$DomainName\*") {
                            $grp = $Group.tostring()
                            $gp = $grp.replace("$DomainName\",'')
                            $Users = Get-ADGroupMember -Recursive -Identity $gp
                            foreach ($User in $Users) {
                                $ObjectUser = New-Object -TypeName PSObject
                                $ObjectUser | Add-Member –MemberType NoteProperty –Name 'DirectoryPath' –Value $Share
                                $ObjectUser | Add-Member -MemberType NoteProperty -Name 'Group' -Value $gp
                                $ObjectUser | Add-Member –MemberType NoteProperty –Name 'SystemRights' –Value $ObjectGroup.SystemRights
                                $ObjectUser | Add-Member –MemberType NoteProperty –Name 'SystemRightsType' –Value $ObjectGroup.SystemRightsType
                                $ObjectUser | Add-Member -MemberType NoteProperty -Name 'IsInherited' -Value $ObjectGroup.IsInherited
                                $ObjectUser | Add-Member -MemberType NoteProperty -Name 'InheritanceFlags' -Value $ObjectGroup.InheritanceFlags
                                $ObjectUser | Add-Member –MemberType NoteProperty –Name 'RulesProtected' –Value $ObjectGroup.RulesProtected
                                $Usr = $User | Select-Object -expandproperty 'samaccountname'
                                $ObjectUser | Add-Member -MemberType NoteProperty -Name 'UserName' -Value $Usr
                                $ObjectUser
                            }
                        }
                    }
                }
            }
        }
    }
}

function Get-NTFSPermissions {

.SYNOPSIS

Gets the NTFS rights set on a folder.

.DESCRIPTION

Gets the NTFS rights set on a folder and outputs the groups and users (recursive) in those groups.

The output can be redirected to a CSV or manipulated by using PowerShell cmdlets.

.PARAMETER ShareName

This parameter takes the name of the share you want to get the NTFS rights from as input.

.PARAMETER DomainName

This parameter takes the NETBIOS name of your domain as input.

.PARAMETER GroupsOnly

This parameter is not mandatory and allows you to output only the shares, groups

and their respective rights.

.EXAMPLE

Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD'

This example takes the name and path of the share as input, aswell as the NETBIOS name of the domain.

.EXAMPLE

Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' | Convertto-CSV | Out-file NTFSRights.csv

This example takes the name and path of the share as input, aswell as the

NETBios name of the domain. Next the output is converted to CSV and written to a CSV file.

.EXAMPLE

Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' -GroupsOnly

This example takes the name and path of the share as input, aswell as the NETBIOS name of the domain.

Because the -GroupsOnly parameter is used, only rights for the groups are

gathered and not the users inside the groups.

.NOTES

AUTHOR : Jeff Wouters

COMPANY : Methos

#Requires –Modules ActiveDirectory

[cmdletbinding()]

param (

[parameter(mandatory=$true,position=0)]$ShareName,

[parameter(mandatory=$true,position=1)]$DomainName,

[parameter(mandatory=$false)][switch]$GroupsOnly

)

$Output = @()

foreach ($Share in $ShareName) {

$ACLs = Get-Acl -Path $Share

foreach ($ACL in $ACLs) {

foreach ($AccessRight in $ACL.Access) {

$ObjectGroup = New-Object -TypeName PSObject

$ObjectGroup | Add-Member –MemberType NoteProperty –Name 'DirectoryPath' –Value $Share

$ObjectGroup | Add-Member –MemberType NoteProperty –Name 'Identity' –Value $AccessRight.IdentityReference

$ObjectGroup | Add-Member –MemberType NoteProperty –Name 'SystemRights' –Value $AccessRight.FileSystemRights

$ObjectGroup | Add-Member –MemberType NoteProperty –Name 'SystemRightsType' –Value $AccessRight.AccessControlType

$ObjectGroup | Add-Member -MemberType NoteProperty -Name 'IsInherited' -Value $AccessRight.IsInherited

$ObjectGroup | Add-Member -MemberType NoteProperty -Name 'InheritanceFlags' -Value $AccessRight.InheritanceFlags

$ObjectGroup | Add-Member –MemberType NoteProperty –Name 'RulesProtected' –Value $ACL.AreAccessRulesProtected

if ($GroupsOnly -eq $true) {

$ObjectGroup

} else {

$Groups = $ObjectGroup | Select-Object -ExpandProperty 'Identity'

foreach ($Group in $Groups) {

if ($Group -like "$DomainName\*") {

$grp = $Group.tostring()

$gp = $grp.replace("$DomainName\",'')

$Users = Get-ADGroupMember -Recursive -Identity $gp

foreach ($User in $Users) {

$ObjectUser = New-Object -TypeName PSObject

$ObjectUser | Add-Member –MemberType NoteProperty –Name 'DirectoryPath' –Value $Share

$ObjectUser | Add-Member -MemberType NoteProperty -Name 'Group' -Value $gp

$ObjectUser | Add-Member –MemberType NoteProperty –Name 'SystemRights' –Value $ObjectGroup.SystemRights

$ObjectUser | Add-Member –MemberType NoteProperty –Name 'SystemRightsType' –Value $ObjectGroup.SystemRightsType

$ObjectUser | Add-Member -MemberType NoteProperty -Name 'IsInherited' -Value $ObjectGroup.IsInherited

$ObjectUser | Add-Member -MemberType NoteProperty -Name 'InheritanceFlags' -Value $ObjectGroup.InheritanceFlags

$ObjectUser | Add-Member –MemberType NoteProperty –Name 'RulesProtected' –Value $ObjectGroup.RulesProtected

$Usr = $User | Select-Object -expandproperty 'samaccountname'

$ObjectUser | Add-Member -MemberType NoteProperty -Name 'UserName' -Value $Usr

$ObjectUser

}

3 comments

Noob says:

February 12, 2014 at 17:11

It seems like it is only listing users that are given permissions via a group. Any user assigned permission directly to the share will not be correctly listed.
The script does not check for users, only groups – that are then resolved into individual users.
User says:

October 17, 2014 at 12:00

‘DirectoryPath’ –Value $Share should better be ‘DirectoryPath’ –Value $ACL.Path to deal with wildcards in $path
Dusan says:

December 13, 2016 at 11:03

Not working on recruse folders and files 🙁

JeffOps

PowerShell function to get NTFS permissions on a folder for groups and users recursive

3 comments

Leave a Reply Cancel reply

Archives