Link to home
Start Free TrialLog in
Avatar of rolyatn
rolyatn

asked on

Scripted Network Share Permission Audit

Hi,

I've been asked to verify permissions set on directories for windows shares, as follows.

- Approx 15-20 servers
- Each with a number of shares, all configured with 'Everyone' permissions for the share
- Underlying folder has groups permissioned for read/change

I need to get a list of all the shares, their underlying folder, and the permissions on the folders, so I'd have something like this:

Server         Share        Folder           Group                Permission
LONDON1     Reports     d:\Reports     LONMarketing     Read
                     
and so on, across all the servers.

I'm a bit of a newbie to WSH and WMI, though have some programming experience so I get the concepts. Rather than reinventing the wheel (which would take time by myself whilst I try and learn how to do this), I was hoping someone might have a script to enumerate all the shares on a specified list of servers, returning the directories associated with them and the permissions on those directories.


Many thanks in advance.
SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, if you want to output the contents of a bat file to a file, simply run it from a command line and pipe it to a file, see below:

c:\documents and settings\administrator\Desktop> setperm.bat "C:\share\rootfolder" "domain.com" C > out.txt

The above line will run the "setperm.bat" file(from the administrator's desktop) passing the requirements for the example bat file I gave above and output it "out.txt" (on the administrator's desktop)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of prashsax
prashsax

I think MBSA 2.0 also shows you Share Folder permissions when you scan server using it.

You can scan all your servers using MBSA 2.0 and save the share folder permissions listing.

Its is free download from microsoft.com.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hey richrumble,

That script is great, cheers for posting that up.

Did you by any change get around to modifing it to read from a file like you mentioned?

Cheers

Steve
I did finally (today) when you asked ;) A little trial and error, plenty of typos... but it's all sorted now. You can use a file that has one pc or one ip per line:

1.2.3.4
3.4.5.6
pc_name
srvr_name
pc_01
etc...
Output XML, if you don't want that, have aook here:
https://www.experts-exchange.com/questions/21986624/Combine-these-two-WSH-scripts.html?anchorAnswerId=23601997#a23601997

From a cmd prompt I type:
cscript /nologo share.vbs >share.xml

Remember to change : Const INPUT_FILE_NAME = "C:\tools\Computers.txt"
to suit your path,,, you coukd also do a drag and drop thing...

INPUT_FILE = Wscript.Arguments(0)

What does that gain you? Well, suppose you have a bunch of text files that contain computer names: one with your DHCP servers, one with your domain controllers, one with your email servers. Do you need to create separate scripts for each of these? Heck no. In Windows Explorer, drag the appropriate text file onto the icon for your script (shares.vbs). The script will use the name of the text file as an argument, and then automatically open and read that file.
-rich
Option Explicit
 
Const SE_DACL_PRESENT = &h4
Const ACCESS_ALLOWED_ACE_TYPE = &h0
Const ACCESS_DENIED_ACE_TYPE  = &h1
Const FILE_ALL_ACCESS = &h1f01ff
Const FOLDER_ADD_SUBDIRECTORY = &h000004
Const FILE_DELETE = &h010000
Const FILE_DELETE_CHILD = &h000040
Const FOLDER_TRAVERSE = &h000020
Const FILE_READ_ATTRIBUTES = &h000080
Const FILE_READ_CONTROL = &h020000
Const FOLDER_LIST_DIRECTORY = &h000001
Const FILE_READ_EA = &h000008
Const FILE_SYNCHRONIZE = &h100000
Const FILE_WRITE_ATTRIBUTES = &h000100
Const FILE_WRITE_DAC = &h040000
Const FOLDER_ADD_FILE = &h000002
Const FILE_WRITE_EA = &h000010
Const FILE_WRITE_OWNER = &h080000
Const WBEM_RETURN_IMMEDIATELY = &h10
Const WBEM_FORWARD_ONLY = &h20
 
Dim objWMIService, objItem
Dim strComputer
Dim arrComputers
Dim colItems
 
Sub ReadDescriptor(strPath)
	Dim objFolderSecuritySettings, objSD, objACE
	Dim arrACEs
	Dim intControlFlags
	
	Set objFolderSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strPath & "'")
	objFolderSecuritySettings.GetSecurityDescriptor objSD
	
	intControlFlags = objSD.ControlFlags
	
		If intControlFlags AND SE_DACL_PRESENT Then
			arrACEs = objSD.DACL
		For Each objACE in arrACEs
			WScript.Echo "<ACL>"
			WScript.Echo "<objACE.Trustee.Domain>" & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & "</objACE.Trustee.Domain>"
		If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
				WScript.Echo vbTab & "<ACCESS_ALLOWED_ACE_TYPE>" & "Allowed" & "</ACCESS_ALLOWED_ACE_TYPE>"
		ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
			WScript.Echo vbTab & "<ACCESS_DENIED_ACE_TYPE>" & "Denied" & "</ACCESS_DENIED_ACE_TYPE>"
		End If
		If objACE.AccessMask AND FILE_ALL_ACCESS Then
			WScript.Echo vbTab & "<FILE_ALL_ACCESS>" & "FILE_ALL_ACCESS " & "</FILE_ALL_ACCESS>"
		End If
		If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
			WScript.Echo vbTab & "<FOLDER_ADD_SUBDIRECTORY>" & " FOLDER_ADD_SUBDIRECTORY " & "</FOLDER_ADD_SUBDIRECTORY>"
		End If
		If objACE.AccessMask AND FILE_DELETE Then
			WScript.Echo vbTab & "<FILE_DELETE>" & "FILE_DELETE " & "</FILE_DELETE>"
		End If
		If objACE.AccessMask AND FILE_DELETE_CHILD Then
			WScript.Echo vbTab & "<FILE_DELETE_CHILD>" & "FILE_DELETE_CHILD " & "</FILE_DELETE_CHILD>"
		End If
		If objACE.AccessMask AND FOLDER_TRAVERSE Then
			WScript.Echo vbTab & "<FOLDER_TRAVERSE>" & " FOLDER_TRAVERSE " & "</FOLDER_TRAVERSE>"
		End If
		If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
			WScript.Echo vbTab & "<FILE_READ_ATTRIBUTES>" & "FILE_READ_ATTRIBUTES " & "</FILE_READ_ATTRIBUTES>"
		End If
		If objACE.AccessMask AND FILE_READ_CONTROL Then
			WScript.Echo vbTab & "<FILE_READ_CONTROL>" & "FILE_READ_CONTROL " & "</FILE_READ_CONTROL>"
		End If
		If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
			WScript.Echo vbTab & "<FOLDER_LIST_DIRECTORY>" & " FOLDER_LIST_DIRECTORY " & "</FOLDER_LIST_DIRECTORY>"
		End If
		If objACE.AccessMask AND FILE_READ_EA Then
			WScript.Echo vbTab & "<FILE_READ_EA>" & "FILE_READ_EA " & "</FILE_READ_EA>"
		End If
		If objACE.AccessMask AND FILE_SYNCHRONIZE Then
			WScript.Echo vbTab & "<FILE_SYNCHRONIZE>" & "FILE_SYNCHRONIZE " & "</FILE_SYNCHRONIZE>"
		End If
		If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
			WScript.Echo vbTab & "<FILE_WRITE_ATTRIBUTES>" & "FILE_WRITE_ATTRIBUTES " & "</FILE_WRITE_ATTRIBUTES>"
		End If
		If objACE.AccessMask AND FILE_WRITE_DAC Then
			WScript.Echo vbTab & "<FILE_WRITE_DAC>" & "FILE_WRITE_DAC " & "</FILE_WRITE_DAC>"
		End If
		If objACE.AccessMask AND FOLDER_ADD_FILE Then
			WScript.Echo vbTab & "<FOLDER_ADD_FILE>" & " FOLDER_ADD_FILE " & "</FOLDER_ADD_FILE>"
		End If
		If objACE.AccessMask AND FILE_WRITE_EA Then
			WScript.Echo vbTab & "<FILE_WRITE_EA>" & "FILE_WRITE_EA " & "</FILE_WRITE_EA>"
		End If
		If objACE.AccessMask AND FILE_WRITE_OWNER Then
			WScript.Echo vbTab & "<FILE_WRITE_OWNER>" & "FILE_WRITE_OWNER " & "</FILE_WRITE_OWNER>"
		End If
			WScript.Echo "</ACL>"
		Next
		Else
			WScript.Echo "<No_DACL>" & "No DACL present in security descriptor" & "</No_DACL>"
		End If
End Sub
 
'
' Main Code
'
	Wscript.Echo "<?xml version=" & Chr(34) & "1.0" & Chr(34) & "?>"
	Wscript.Echo "<Inventory_1.0>"
Const INPUT_FILE_NAME = "C:\tools\Computers.txt"
Const FOR_READING = 1
Dim objFSO
Dim objFile
	Set objFSO = CreateObject("Scripting.FileSystemObject")
	Set objFile = objFSO.OpenTextFile(INPUT_FILE_NAME, FOR_READING)
		strComputer = objFile.ReadAll
		objFile.Close
		arrComputers = Split(strComputer, vbCrLf)
			For Each strComputer In arrComputers
			WScript.Echo "<Computer>"
			WScript.Echo "<Computer_Name>" & strComputer & "</Computer_Name>"
				On Error Resume Next
				Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
				Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Share WHERE Type=0", "WQL",_
				WBEM_RETURN_IMMEDIATELY + WBEM_FORWARD_ONLY)
				
			For Each objItem in colItems
				WScript.Echo "<Share>"
				WScript.Echo "<Path>" & objItem.Path & "</Path>"
				ReadDescriptor objItem.Path
				WScript.Echo "</Share>"
			Next
			WScript.Echo "</Computer>"
			Set objWMIService = Nothing
			On Error Goto 0
		Next
Wscript.Echo "</Inventory_1.0>"

Open in new window

Thanks! thats awesome :)