locked
shares folder permissions RRS feed

  • Question

  • I'm using the following to get Share Permissions and NTFS Permissions on shared folders.  I would like to change both to get the share permissions and the ntfs permissions of the childitem of each of the shares.  Basically I want to go down one level.

    SHARE PERMISSIONS

    function Get-SharePermissions{  
    [cmdletbinding(
        DefaultParameterSetName = 'computer',
        ConfirmImpact = 'low'
    )]
        Param(
            [Parameter(
                Mandatory = $True,
                Position = 0,
                ParameterSetName = 'computer',
                ValueFromPipeline = $True)]
                [array]$computer                       
                )
    Begin {                 
        #Process Share report
        $sharereport = @()
        }
    Process {
        #Iterate through comptuers
        ForEach ($c in $computer) {
            Try {     
                Write-Verbose "Computer: $($c)"
                #Retrieve share information from comptuer
                $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $c -ea stop
                ForEach ($Shares in $sharesec) {
                    Write-Verbose "Share: $($Shares.name)"
                        #Try to get the security descriptor
                        $SecurityDescriptor = $ShareS.GetSecurityDescriptor()
                        #Iterate through each descriptor
                        ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL) {
                            $arrshare = New-Object PSObject
                            $arrshare | Add-Member NoteProperty Computer $c
                            $arrshare | Add-Member NoteProperty Name $Shares.Name
                            $arrshare | Add-Member NoteProperty ID $DACL.Trustee.Name
                            #Convert the current output into something more readable
                            Switch ($DACL.AccessMask) {
                                2032127 {$AccessMask = "FullControl"}
                                1179785 {$AccessMask = "Read"}
                                1180063 {$AccessMask = "Read, Write"}
                                1179817 {$AccessMask = "ReadAndExecute"}
                                -1610612736 {$AccessMask = "ReadAndExecuteExtended"}
                                1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
                                1180095 {$AccessMask = "ReadAndExecute, Write"}
                                268435456 {$AccessMask = "FullControl (Sub Only)"}
                                default {$AccessMask = $DACL.AccessMask}
                                }
                            $arrshare | Add-Member NoteProperty AccessMask $AccessMask
                            #Convert the current output into something more readable
                            Switch ($DACL.AceType) {
                                0 {$AceType = "Allow"}
                                1 {$AceType = "Deny"}
                                2 {$AceType = "Audit"}
                                }
                            $arrshare | Add-Member NoteProperty AceType $AceType
                            #Add to existing array
                            $sharereport += $arrshare
                            }
                        }
                    }
                #Catch any errors                 
                Catch {
                    $arrshare | Add-Member NoteProperty Computer $c
                    $arrshare | Add-Member NoteProperty Name "NA"
                    $arrshare | Add-Member NoteProperty ID "NA"  
                    $arrshare | Add-Member NoteProperty AccessMask "NA"           
                    }  
                Finally {
                    #Add to existing array
                    $sharereport += $arrshare
                    }                                                    
                }  
            }                        
    End {
        #Display report
        $Sharereport
        }
    }

    NTFS PERMISSIONS

    $ntfs = foreach ($b in (Get-WmiObject Win32_Share | where-object {$_.type -eq 0 -or $_.type -eq 2147483648 -and $_.name -ne 'admin$' -and $_.name -ne 'R$'})){$b | get-acl -ea SilentlyContinue | select @{n='Share Name';e={$b.name}}, owner, @{e={$_.accesstostring};Label="Permissions"}}


    SMaximus7

    Thursday, June 7, 2012 3:28 PM

Answers

  • I guess I worked enough at it that I came up with the answer on my own.  Here it is

    $server = 'myserver'
    $ntfs = gwmi Win32_Share -computername $server | where-object {$_.type -eq 0 -and $_.name -ne 'admin$' -and $_.name -ne 'R$'}	
    $subfolder = foreach ($b in $ntfs) {$b | get-childitem}
    (foreach {$subfolder | get-acl -audit: $true -ea SilentlyContinue | select @{Label="Folder Path";expression={$_.path.tostring().split(":")[2,3]}}, owner, @{expression={$_.audittostring};Label="Auditing"}, @{expression={$_.accesstostring};Label="Permissions"}, @{n='Inherited';e={[String]::Join("`n", $( $_.Access | %{"$($_.IsInherited)"}))}}})

    This does the trick!


    SMaximus7


    • Marked as answer by SMaximus7 Friday, June 8, 2012 11:26 PM
    • Edited by SMaximus7 Friday, June 8, 2012 11:30 PM error in code
    Friday, June 8, 2012 11:26 PM

All replies

  • Hi,

    To bind it into one you need paste your NTFS script into foreach (shares) loop.
    It’s only my suggestion but try build result at "share lvl" it will be easier to merge share with ntfs permission.
    Here is the code with my corrections:

    function Get-SharePermissions
    {  
    [cmdletbinding( 
      DefaultParameterSetName = 'computer', 
      ConfirmImpact = 'low' 
    )] 
    Param
    ( 
      [Parameter( 
        Mandatory = $True, 
        Position = 0, 
        ParameterSetName = 'computer', 
        ValueFromPipeline = $True)] 
        [String[]]$computer
    )
      
    Begin 
    {                 
      #Process Share report 
      $sharereport = @() 
    }
      
    Process 
    { 
      #Iterate through comptuers 
      ForEach ($c in $computer) 
      { 
        Try 
        {     
          Write-Verbose "Computer: $($c)" 
          #Retrieve share information from comptuer 
          $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $c -ea stop
          $ShareName = Get-WmiObject -Class Win32_Share -ComputerName $c
          ForEach ($Shares in $sharesec) 
          { 
            Write-Verbose "Share: $($Shares.name)" 
            $arrshare = New-Object PSObject
            $arrshare | Add-Member NoteProperty Computer $c 
            $arrshare | Add-Member NoteProperty Name $Shares.Name 
            
            $ntfs = $ShareName | 
            where-object {$_.Name -eq $Shares.Name} | 
            get-acl -ea SilentlyContinue | 
            select owner, @{e={$_.accesstostring};Label="Permissions"}
              
            $arrshare | Add-Member NoteProperty Owner $ntfs.owner 
            $arrshare | Add-Member NoteProperty NTFSPermissions $ntfs.Permissions 
              
                    #Try to get the security descriptor 
                    $SecurityDescriptor = $ShareS.GetSecurityDescriptor() 
                    #Iterate through each descriptor 
            
            $SharePermissionsArray = @()
                    ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL) 
            {         
              $SharePermissions = New-Object PSObject
              $SharePermissions | Add-Member NoteProperty ID $DACL.Trustee.Name
              #Convert the current output into something more readable
              Switch ($DACL.AceType) 
              { 
                0 {$AceType = "Allow"} 
                1 {$AceType = "Deny"} 
                2 {$AceType = "Audit"} 
               } 
              $SharePermissions | Add-Member NoteProperty AceType $AceType 
              
              #Convert the current output into something more readable
              Switch ($DACL.AccessMask) 
              { 
                2032127 {$AccessMask = "FullControl"} 
                1179785 {$AccessMask = "Read"} 
                1180063 {$AccessMask = "Read, Write"} 
                1179817 {$AccessMask = "ReadAndExecute"} 
                -1610612736 {$AccessMask = "ReadAndExecuteExtended"}
                1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
                1180095 {$AccessMask = "ReadAndExecute, Write"} 
                268435456 {$AccessMask = "FullControl (Sub Only)"} 
                default {$AccessMask = $DACL.AccessMask} 
              } 
              $SharePermissions | Add-Member NoteProperty AccessMask $AccessMask
    
              #Add to existing array 
              $SharePermissionsArray += $SharePermissions.ID+" "+$SharePermissions.AceType+" "+$SharePermissions.AccessMask
              
            }
            $arrshare | Add-Member NoteProperty SharePermissions ($SharePermissionsArray -join "`n")
            $sharereport += $arrshare 
          } 
        } 
        #Catch any errors
        Catch 
        { 
          $arrshare | Add-Member NoteProperty Computer $c 
          $arrshare | Add-Member NoteProperty Name "NA" 
          $arrshare | Add-Member NoteProperty ID "NA"  
          $arrshare | Add-Member NoteProperty AccessMask "NA"
    
          #Add to existing array 
          $sharereport += $arrshare       
        }  
      }  
    }
    
    End 
    { 
      #Display report 
      $Sharereport 
    } 
    }
    

    Friday, June 8, 2012 6:53 AM
  • Thanks Michal.  Your script basically joins both of mine together, which is nice by the way.  However I did want to keep them separate.  What I would like to do is to get the permissions of the shared folder, then do the same for the  next set of folders within the shared folder.  This is for an audit report, this will basically tell me if the inheritance of the folders within have been broken or not.  Ideally if you can help me change the scripts I'm using to get the permissions of the next level of folders instead of the shared folder that would be great.  that way i can have a section for the permissions of the top level folder (actual share) using my current scrips and then another section for the next level folder using your modified one.

    SMaximus7

    Friday, June 8, 2012 12:09 PM
  • Michal,

    Is your script the same as Boe Prox at http://gallery.technet.microsoft.com/scriptcenter/a231026a-3fdb-4190-9915-38d8cd827348 ?


    Life is short, Enjoy it now. Cyreli

    Friday, June 8, 2012 3:01 PM
  • Michal script is similar to that one but there are quite a number of differences between both scripts.

    SMaximus7

    Friday, June 8, 2012 3:05 PM
  • I guess I worked enough at it that I came up with the answer on my own.  Here it is

    $server = 'myserver'
    $ntfs = gwmi Win32_Share -computername $server | where-object {$_.type -eq 0 -and $_.name -ne 'admin$' -and $_.name -ne 'R$'}	
    $subfolder = foreach ($b in $ntfs) {$b | get-childitem}
    (foreach {$subfolder | get-acl -audit: $true -ea SilentlyContinue | select @{Label="Folder Path";expression={$_.path.tostring().split(":")[2,3]}}, owner, @{expression={$_.audittostring};Label="Auditing"}, @{expression={$_.accesstostring};Label="Permissions"}, @{n='Inherited';e={[String]::Join("`n", $( $_.Access | %{"$($_.IsInherited)"}))}}})

    This does the trick!


    SMaximus7


    • Marked as answer by SMaximus7 Friday, June 8, 2012 11:26 PM
    • Edited by SMaximus7 Friday, June 8, 2012 11:30 PM error in code
    Friday, June 8, 2012 11:26 PM
  • Please do not add not questions to 10 year old closed topics.


    \_(ツ)_/

    Thursday, March 12, 2020 5:39 PM