none
Dumping a list of shares and security permissions across a domain

    คำถาม

  • Hello,

    I have been assigned the fairly daunting task of creating a list of ALL shares that exist within a single domain and also generating a list of all security groups that are being used for each share.  I'm trying to decide whether to use dumpsec or to write a powershell script for this and was hoping that I would find similar scripts that are already designed specifically for this purpose.  Does anyone have any suggestions?

    22 กุมภาพันธ์ 2555 13:54

คำตอบ

ตอบทั้งหมด

  • You can use ShareEnum from Sysinternals:
    http://technet.microsoft.com/en-us/sysinternals/bb897442

    Please click “Mark as Answer” if my post answers your question and click Vote as Help if my Post helps you.
    Bitte markiere hilfreiche Beiträge von mir als Hilfreich und Beiträge die deine Frage ganz oder teilweise beantwortet haben als Antwort.
    My PowerShell Blog http://www.admin-source.info
    [string](0..21|%{[char][int]([int]("{0:d}" -f 0x28)+('755964655967-86965747271757624-8796158066061').substring(($_*2),2))})-replace

    • ทำเครื่องหมายเป็นคำตอบโดย IamMredMicrosoft, Owner 25 กุมภาพันธ์ 2555 20:20
    22 กุมภาพันธ์ 2555 14:18
  • Hello,

    I've had some success using ShareEnum to dump lists of shares across my environvment, however, I don't see how I can dump the list of security groups and permissions that I required.  What I really need is a list of all security groups being used to secure shares in my entire domain, this information will be used in identifying legacy groups for removal.  I believe dumpsec might work for this purpose and I've successfully used it on single servers, but I'm not sure how to get a dump of ALL security groups across an entire domain.  Any ideas?

    22 มีนาคม 2555 13:13
  • Hello,

    I've had some success using ShareEnum to dump lists of shares across my environvment, however, I don't see how I can dump the list of security groups and permissions that I required.  What I really need is a list of all security groups being used to secure shares in my entire domain, this information will be used in identifying legacy groups for removal.  I believe dumpsec might work for this purpose and I've successfully used it on single servers, but I'm not sure how to get a dump of ALL security groups across an entire domain.  Any ideas?


    Use the SubInAcl utility to dump share security. It can also replace security IDs and modify security on nearly any object in Windows.

    Normally the security on a share is set to eaather Everyone Read or Everone Write.  The file security is set on the underlying folders.  Share level security is not the same as file system security and cannot be enumerated except by ShareEnum and SubInAcl.


    ¯\_(ツ)_/¯

    22 มีนาคม 2555 15:07
  • Hello,

    I've had some success using ShareEnum to dump lists of shares across my environvment, however, I don't see how I can dump the list of security groups and permissions that I required.  What I really need is a list of all security groups being used to secure shares in my entire domain, this information will be used in identifying legacy groups for removal.  I believe dumpsec might work for this purpose and I've successfully used it on single servers, but I'm not sure how to get a dump of ALL security groups across an entire domain.  Any ideas?


    Use the SubInAcl utility to dump share security. It can also replace security IDs and modify security on nearly any object in Windows.

    Normally the security on a share is set to eaather Everyone Read or Everone Write.  The file security is set on the underlying folders.  Share level security is not the same as file system security and cannot be enumerated except by ShareEnum and SubInAcl.


    ¯\_(ツ)_/¯

    That's an excellent point and I think that will make this quite a bit more challenging.  How can I only see a list of file system security permissions on shares?  I believe I could use shareenum to dump a list of all the shares in existence, but I don't see how I could get a list of permissions on those shares only by using SubInAcl.exe without a tonne of manual intervention.

    Perhaps I will have to generate a list of all shares with ShareEnum.exe and then a complete list of permissions with SubInAcl.exe and then cross reference?  This sounds like it would create massive files to go through...  Is there an easier way?

    22 มีนาคม 2555 16:55
  • That's an excellent point and I think that will make this quite a bit more challenging. How can I only see a list of file system security permissions on shares? I believe I could use shareenum to dump a list of all the shares in existence, but I don't see how I could get a list of permissions on those shares only by using SubInAcl.exe without a tonne of manual intervention. Perhaps I will have to generate a list of all shares with ShareEnum.exe and then a complete list of permissions with SubInAcl.exe and then cross reference? This sounds like it would create massive files to go through... Is there an easier way?

    Yes that is one way.

    net share //server will also enumerate shares.

    There is code in the repository that will retrieve share permisisons and can set share permisisons,

    http://gallery.technet.microsoft.com/scriptcenter/Create-a-Share-and-Set-eb177a79

    The following will get you the accessamask in PowerShell:

    gwmi win32_share -filter 'type=0'| %{$_.GetAccessMask()}|select returnvalue

    Here isthe simplest way to use SubInAcl:

    subinacl /share \\server\*

    On WS2003 it will output this: 
    =====================
    +Share \\server\Users
    =====================
    /control=0x0
    /audit ace count   =0
    /perm. ace count   =3
    /pace =sec\domain admins        ACCESS_ALLOWED_ACE_TYPE-0x0
            Full Control
    /pace =sec\sbs folder operators         ACCESS_ALLOWED_ACE_TYPE-0x0
            Full Control
    /pace =sec\domain users         ACCESS_ALLOWED_ACE_TYPE-0x0
            Full Control

    ======================

    The output can be converted into SDDL or binary. 


    ¯\_(ツ)_/¯

    22 มีนาคม 2555 20:20
  • This is proving to be a little more complex than I had originally thought.  I'm only interested in the file/folder permissions for shared folders.  As you point out, share permissions are using set to everyone FC, which really isn't the information I need.  What I need are the file/folder level permissions for folders that are configured as shares (including sub-directories). 

    Originally I thought that I could do a dump of shares using ShareEnum and then cross reference with a dump of all permissions using dumpsec, but the share name will not necessarily correspond to the actual folder name being shared. 

    I guess what I really need is a dump of all non-default permission that has been assigned to any folder, anywhere on the network, across several different OS's (Windows 2003, Windows 2008, Windows 2008 R2).  This seems like a huge task that may produce a result that is so large that it's virtually unsuable.

    Can I use dumpsec or subinacl to perform such a dump?  If I used subinacl, could I set a the variable so that it polls all servers in the domain?  What would the variable be below?

    subinacl /share \\%variable%\*

    23 มีนาคม 2555 18:41
  • SubInAcl can dump folders and subfolders.


    SubInAcl /file \\ws101\c$\scripts\*  /display=sddl


    ¯\_(ツ)_/¯

    23 มีนาคม 2555 20:17