This script is something I’ve been playing with in my head for quite some time now.
Today I found some time to do script this 🙂
So, what are some of the use-cases?
- Documentation (project, operational).
- Reporting.
- Auditing (compare files from today and yesterday and there’s your auditing).
The script requires the Active Directory module to be installed as defined by the line ‘#Requires –Modules ActiveDirectory’.
The output looks something like:
… and when you convert it to an Excel file, where a manager can do some auto-filtering:
Useful, right? 🙂
Here’s the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
function Get-NTFSPermissions { <# .SYNOPSIS Gets the NTFS rights set on a folder. .DESCRIPTION Gets the NTFS rights set on a folder and outputs the groups and users (recursive) in those groups. The output can be redirected to a CSV or manipulated by using PowerShell cmdlets. .PARAMETER ShareName This parameter takes the name of the share you want to get the NTFS rights from as input. .PARAMETER DomainName This parameter takes the NETBIOS name of your domain as input. .PARAMETER GroupsOnly This parameter is not mandatory and allows you to output only the shares, groups and their respective rights. .EXAMPLE Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' This example takes the name and path of the share as input, aswell as the NETBIOS name of the domain. .EXAMPLE Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' | Convertto-CSV | Out-file NTFSRights.csv This example takes the name and path of the share as input, aswell as the NETBios name of the domain. Next the output is converted to CSV and written to a CSV file. .EXAMPLE Get-FolderRights -ShareName '\\server.lan\share$\folder' -DomainName 'AD' -GroupsOnly This example takes the name and path of the share as input, aswell as the NETBIOS name of the domain. Because the -GroupsOnly parameter is used, only rights for the groups are gathered and not the users inside the groups. .NOTES AUTHOR : Jeff Wouters COMPANY : Methos #> #Requires –Modules ActiveDirectory [cmdletbinding()] param ( [parameter(mandatory=$true,position=0)]$ShareName, [parameter(mandatory=$true,position=1)]$DomainName, [parameter(mandatory=$false)][switch]$GroupsOnly ) $Output = @() foreach ($Share in $ShareName) { $ACLs = Get-Acl -Path $Share foreach ($ACL in $ACLs) { foreach ($AccessRight in $ACL.Access) { $ObjectGroup = New-Object -TypeName PSObject $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'DirectoryPath' –Value $Share $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'Identity' –Value $AccessRight.IdentityReference $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'SystemRights' –Value $AccessRight.FileSystemRights $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'SystemRightsType' –Value $AccessRight.AccessControlType $ObjectGroup | Add-Member -MemberType NoteProperty -Name 'IsInherited' -Value $AccessRight.IsInherited $ObjectGroup | Add-Member -MemberType NoteProperty -Name 'InheritanceFlags' -Value $AccessRight.InheritanceFlags $ObjectGroup | Add-Member –MemberType NoteProperty –Name 'RulesProtected' –Value $ACL.AreAccessRulesProtected if ($GroupsOnly -eq $true) { $ObjectGroup } else { $Groups = $ObjectGroup | Select-Object -ExpandProperty 'Identity' foreach ($Group in $Groups) { if ($Group -like "$DomainName\*") { $grp = $Group.tostring() $gp = $grp.replace("$DomainName\",'') $Users = Get-ADGroupMember -Recursive -Identity $gp foreach ($User in $Users) { $ObjectUser = New-Object -TypeName PSObject $ObjectUser | Add-Member –MemberType NoteProperty –Name 'DirectoryPath' –Value $Share $ObjectUser | Add-Member -MemberType NoteProperty -Name 'Group' -Value $gp $ObjectUser | Add-Member –MemberType NoteProperty –Name 'SystemRights' –Value $ObjectGroup.SystemRights $ObjectUser | Add-Member –MemberType NoteProperty –Name 'SystemRightsType' –Value $ObjectGroup.SystemRightsType $ObjectUser | Add-Member -MemberType NoteProperty -Name 'IsInherited' -Value $ObjectGroup.IsInherited $ObjectUser | Add-Member -MemberType NoteProperty -Name 'InheritanceFlags' -Value $ObjectGroup.InheritanceFlags $ObjectUser | Add-Member –MemberType NoteProperty –Name 'RulesProtected' –Value $ObjectGroup.RulesProtected $Usr = $User | Select-Object -expandproperty 'samaccountname' $ObjectUser | Add-Member -MemberType NoteProperty -Name 'UserName' -Value $Usr $ObjectUser } } } } } } } } |
It seems like it is only listing users that are given permissions via a group. Any user assigned permission directly to the share will not be correctly listed.
The script does not check for users, only groups – that are then resolved into individual users.
‘DirectoryPath’ –Value $Share should better be ‘DirectoryPath’ –Value $ACL.Path to deal with wildcards in $path
Not working on recruse folders and files 🙁