none
PowerShellAccessControl Question

    Question

  • Hello,

    We were asked to find a way to check the effective permissions of shares on servers across our environment. I did some research and found the PowerShell Access Control module here: https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83 

    I started playing with it, and thought it would be perfect, specifically the Get-PacEffectiveAccess command. It seemed to get the correct effective permissions on shares for my logged in user, but when I passed it someone who I new shouldn't have access to a share, it came back and said they did.

    I re-checked the share, and while the NTFS permissions do not list that account specifically, it does list a group they are in that has explicit Deny on all permissions. If I use the Get-PacEffectiveAccess and specify that group, it does show they have no access. 

    So I guess my question is, should the command be taking into account their group membership, or have I misread it?

    And does anyone have any other experience doing something similar to try and audit access to shares?

     

    Friday, November 9, 2018 2:49 AM

All replies