none
Powershell script to check user/group share permission

    Question

  • Hi!

     

    I am looking for a script that can tell me which user or group has permission on which shares on different servers.

    Thanks for any help.

     

    Regards,

     

    Thursday, September 29, 2011 12:34 PM

Answers

All replies

  • http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/e743e444-1a78-476a-adff-db356435f592/

    Download ShareUtils module by Vadims Podans.

    Get-Share |  select name -exp SecurityDescriptor
    


     


    Thursday, September 29, 2011 12:42 PM
  • Are you looking for the share permissions or the shared folder's NTFS permissions (security)? 

     


    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/
    Thursday, September 29, 2011 12:42 PM
  • shared folder's NTFS permissions
    Thursday, September 29, 2011 1:26 PM
  • Get-Help Get-Acl.

    On remote Server:

    Get-Acl \\Server\C$\ShareFolder | select -exp Access
    


    Thursday, September 29, 2011 1:30 PM
  • Thanks.

     

    Can you we check other way around i.e from username?

    Thursday, September 29, 2011 1:46 PM
  • Do you want to know what folders a specific user has access to? 

    The easy answer: No

    ..unless you scan each and every folder in your network (or within a specific share) and look at the ACL to see if the user is present. Within a share is obviously easier, but depending on the size it can take a long time. There are tools (like Security Explorer) that can do this. 

     


    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/
    Thursday, September 29, 2011 1:53 PM
  • Ok. Thanks alot for your help.
    Thursday, September 29, 2011 2:00 PM
  • A Friend help me with this script. But I can't seem to get inheritance permissions to report what the security details are. It still lists the rights to folders but not R/W/M for a group the user belongs to.

    \\<server>\explicit_rights AD\<username> Allow Modify, Synchronize
    \\<server>\Group1      
    \\<server>\Group2      

    Bottom 2 are inherited. Top is explicit

    I hope this helps.

         

    #Prompt for input (username, root folder)
    $User = Read-Host "Enter the username to check"
    $RootDir = Read-Host "Enter the root directory to check"

    #Get list of subdirectories. We just need the Fullname (Complete path).
    $Dirs = @(gci $RootDir -recurse) | Where {$_.mode -match "d"} | Select Fullname

    #Create array to store results
    $Compiled = @()

    forEach ($Dir in $dirs)
    {
       #Get the ACL for the current subdirectory. Format it in a way we can work with.
        $ACL = Get-Acl $dir.fullname
        $List = @($ACL.access | Select IdentityReference,AccessControlType,FileSystemRights)
       #Filter for $user, remove List and ACL arrays
        $Filtered = $List | Where {$_.identityreference -match $user}
        Remove-item variable:ACL
        Remove-item variable:List
       
       #Create an object for each line in the above $List.
        forEach ($line in $Filtered)
        {
            $Object = New-Object PSObject -property @{
                "Directory" = $dir.Fullname
                "User" = $line.IdentityReference
                "AccessControl" = $line.AccessControlType
                "Rights" = $line.FileSystemRights
                }
           #Add this object to the $Compiled array.   
            $Compiled += $Object
        }
    }

    #Save the report.  You could add a Read-Host statement here to prompt for a filename/location, if you want.
    $Compiled | Select Directory,user,accesscontrol,rights | Sort Directory | Export-CSV -notypeinformation "$env:userprofile\desktop\Permissions_$user.csv"

    • Proposed as answer by Alaska Chad Monday, October 28, 2013 5:11 PM
    Monday, October 28, 2013 5:10 PM