Comments on: Reading share security with PowerShell

By: Gord Moore

Gord Moore — Fri, 04 Nov 2011 01:25:15 +0000

Nice piece of kit – very nice little script that was just what I was after.

By: Mladen Milunovic

Mladen Milunovic — Thu, 23 Dec 2010 09:09:00 +0000

Hi, here is a script that list NTFS permissions for remote shares. Only thing is you have to enter shares manualy in to text file.

#==========================================================================
# NAME: ACL on Shared folder
# AUTHOR: Mladen
# DATE  : 01/12/2010
# COMMENT: Check permissions on NTFS shared folder and send report to excel
# REQUIREMENTS: QuestAD for PowerShell (Quest ActiveRoles), Excel, Acces to share
# shares.txt is file with shares in format \\server\share1
#==========================================================================

#$erroractionpreference = "SilentlyContinue"
$a = New-Object -comobject Excel.Application
$a.visible = $True
$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)
$c.Cells.Item(1,1) = "Share"
$c.Cells.Item(1,2) = "Account"
$c.Cells.Item(1,3) = "Permission"
$c.Cells.Item(1,4) = "User Name"
$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$intRow = 2

$colShares = get-content shares.txt
foreach ($strShare in $colShares)
{
$c.Cells.Item($intRow, 1) = $strShare
$c.Cells.Item($intRow, 1).Font.Bold = $True
$acl = Get-Acl $strShare
$perm = $acl.Access
	foreach ($object in $perm)
	{
	$intRow = $intRow + 1
	$userName = [string]$object.IdentityReference
	$c.Cells.Item($intRow, 2) = $userName
	$c.Cells.Item($intRow, 3) = [string]$object.FileSystemRights
	$fullName = Get-QADUser $userName
	$c.Cells.Item($intRow, 4) = $fullName.Name
	}
$intRow = $intRow + 1
}
$d.EntireColumn.AutoFit()

Regards,
Mladen.

By: Justin McAlister

Justin McAlister — Mon, 26 Apr 2010 19:37:51 +0000

Got it! Thank you very much.

By: Chris

Chris — Mon, 26 Apr 2010 19:24:19 +0000

My function cheats a little, passing the values from the ACE into the constructor for Security.AccessControl.FileSystemAccessRule. You’re spot on with the access mask value behaviour. To finish it off you need to read the AceType, that’ll tell you if it’s Allow or Deny.

Chris

By: Justin McAlister

Justin McAlister — Mon, 26 Apr 2010 19:13:43 +0000

Hi Chris,

I have been trying to do something similar, and was wondering if you came up with the same results. So with share level permissions there are really only 3 levels of access granting Read, Change, and Full Control. So I put this together and it reports against those 3 without any issues:

(GWMI Win32_LogicalShareSecuritySetting -Computer SERVERNAME).GetSecurityDescriptor().Descriptor.DACL | Select `
	@{N="Account Name";E={
		If($_.Trustee.Domain -eq $null){$_.Trustee.Name}
		Else{$_.Trustee.Domain + "\" + $_.Trustee.Name}
	}}, `
	@{N="Share Permissions";E={
		Switch($_.AccessMask){
			2032127 {$strSharePerm = "Full Control"}
			1179817 {$strSharePerm = "Read"}
			1245631 {$strSharePerm = "Change"}
			Default {$strSharePerm = "Unknown"}
		}
		$strSharePerm
	}}

Please excuse the ugly formatting, and I am sure there is a far better way to do it, but my issue is with implicitly denied share permissions. The .AccessMask property value for allow full control appears to be the same as deny full control. Same with read and change. Now it’s a rare case where I come acrossed deny share permissions, but it’s possible.

I was wondering if you has the same issue with your function. This is omnipower321 from EE by the way. You have answered a ton of my questions, and I am a fan of your site.

By: Kleine Tipps für Zwischendurch (Teil 13) – Umgang mit UNC-Pfaden « Peter’s PowerShell Blog (German only)

Fri, 22 May 2009 12:28:59 +0000

[...] Wie sich per WMI und der Win32_LogicalShareSecuritySetting-Klasse die Freigabeberechtigungen auslesen lassen, verrät ein interessanter Blog-Eintrag. [...]