rolyatn
asked on
Scripted Network Share Permission Audit
Hi,
I've been asked to verify permissions set on directories for windows shares, as follows.
- Approx 15-20 servers
- Each with a number of shares, all configured with 'Everyone' permissions for the share
- Underlying folder has groups permissioned for read/change
I need to get a list of all the shares, their underlying folder, and the permissions on the folders, so I'd have something like this:
Server Share Folder Group Permission
LONDON1 Reports d:\Reports LONMarketing Read
and so on, across all the servers.
I'm a bit of a newbie to WSH and WMI, though have some programming experience so I get the concepts. Rather than reinventing the wheel (which would take time by myself whilst I try and learn how to do this), I was hoping someone might have a script to enumerate all the shares on a specified list of servers, returning the directories associated with them and the permissions on those directories.
Many thanks in advance.
I've been asked to verify permissions set on directories for windows shares, as follows.
- Approx 15-20 servers
- Each with a number of shares, all configured with 'Everyone' permissions for the share
- Underlying folder has groups permissioned for read/change
I need to get a list of all the shares, their underlying folder, and the permissions on the folders, so I'd have something like this:
Server Share Folder Group Permission
LONDON1 Reports d:\Reports LONMarketing Read
and so on, across all the servers.
I'm a bit of a newbie to WSH and WMI, though have some programming experience so I get the concepts. Rather than reinventing the wheel (which would take time by myself whilst I try and learn how to do this), I was hoping someone might have a script to enumerate all the shares on a specified list of servers, returning the directories associated with them and the permissions on those directories.
Many thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think MBSA 2.0 also shows you Share Folder permissions when you scan server using it.
You can scan all your servers using MBSA 2.0 and save the share folder permissions listing.
Its is free download from microsoft.com.
You can scan all your servers using MBSA 2.0 and save the share folder permissions listing.
Its is free download from microsoft.com.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hey richrumble,
That script is great, cheers for posting that up.
Did you by any change get around to modifing it to read from a file like you mentioned?
Cheers
Steve
That script is great, cheers for posting that up.
Did you by any change get around to modifing it to read from a file like you mentioned?
Cheers
Steve
I did finally (today) when you asked ;) A little trial and error, plenty of typos... but it's all sorted now. You can use a file that has one pc or one ip per line:
1.2.3.4
3.4.5.6
pc_name
srvr_name
pc_01
etc...
Output XML, if you don't want that, have aook here:
https://www.experts-exchange.com/questions/21986624/Combine-these-two-WSH-scripts.html?anchorAnswerId=23601997#a23601997
From a cmd prompt I type:
cscript /nologo share.vbs >share.xml
Remember to change : Const INPUT_FILE_NAME = "C:\tools\Computers.txt"
to suit your path,,, you coukd also do a drag and drop thing...
INPUT_FILE = Wscript.Arguments(0)
What does that gain you? Well, suppose you have a bunch of text files that contain computer names: one with your DHCP servers, one with your domain controllers, one with your email servers. Do you need to create separate scripts for each of these? Heck no. In Windows Explorer, drag the appropriate text file onto the icon for your script (shares.vbs). The script will use the name of the text file as an argument, and then automatically open and read that file.
-rich
1.2.3.4
3.4.5.6
pc_name
srvr_name
pc_01
etc...
Output XML, if you don't want that, have aook here:
https://www.experts-exchange.com/questions/21986624/Combine-these-two-WSH-scripts.html?anchorAnswerId=23601997#a23601997
From a cmd prompt I type:
cscript /nologo share.vbs >share.xml
Remember to change : Const INPUT_FILE_NAME = "C:\tools\Computers.txt"
to suit your path,,, you coukd also do a drag and drop thing...
INPUT_FILE = Wscript.Arguments(0)
What does that gain you? Well, suppose you have a bunch of text files that contain computer names: one with your DHCP servers, one with your domain controllers, one with your email servers. Do you need to create separate scripts for each of these? Heck no. In Windows Explorer, drag the appropriate text file onto the icon for your script (shares.vbs). The script will use the name of the text file as an argument, and then automatically open and read that file.
-rich
Option Explicit
Const SE_DACL_PRESENT = &h4
Const ACCESS_ALLOWED_ACE_TYPE = &h0
Const ACCESS_DENIED_ACE_TYPE = &h1
Const FILE_ALL_ACCESS = &h1f01ff
Const FOLDER_ADD_SUBDIRECTORY = &h000004
Const FILE_DELETE = &h010000
Const FILE_DELETE_CHILD = &h000040
Const FOLDER_TRAVERSE = &h000020
Const FILE_READ_ATTRIBUTES = &h000080
Const FILE_READ_CONTROL = &h020000
Const FOLDER_LIST_DIRECTORY = &h000001
Const FILE_READ_EA = &h000008
Const FILE_SYNCHRONIZE = &h100000
Const FILE_WRITE_ATTRIBUTES = &h000100
Const FILE_WRITE_DAC = &h040000
Const FOLDER_ADD_FILE = &h000002
Const FILE_WRITE_EA = &h000010
Const FILE_WRITE_OWNER = &h080000
Const WBEM_RETURN_IMMEDIATELY = &h10
Const WBEM_FORWARD_ONLY = &h20
Dim objWMIService, objItem
Dim strComputer
Dim arrComputers
Dim colItems
Sub ReadDescriptor(strPath)
Dim objFolderSecuritySettings, objSD, objACE
Dim arrACEs
Dim intControlFlags
Set objFolderSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strPath & "'")
objFolderSecuritySettings.GetSecurityDescriptor objSD
intControlFlags = objSD.ControlFlags
If intControlFlags AND SE_DACL_PRESENT Then
arrACEs = objSD.DACL
For Each objACE in arrACEs
WScript.Echo "<ACL>"
WScript.Echo "<objACE.Trustee.Domain>" & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & "</objACE.Trustee.Domain>"
If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
WScript.Echo vbTab & "<ACCESS_ALLOWED_ACE_TYPE>" & "Allowed" & "</ACCESS_ALLOWED_ACE_TYPE>"
ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
WScript.Echo vbTab & "<ACCESS_DENIED_ACE_TYPE>" & "Denied" & "</ACCESS_DENIED_ACE_TYPE>"
End If
If objACE.AccessMask AND FILE_ALL_ACCESS Then
WScript.Echo vbTab & "<FILE_ALL_ACCESS>" & "FILE_ALL_ACCESS " & "</FILE_ALL_ACCESS>"
End If
If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
WScript.Echo vbTab & "<FOLDER_ADD_SUBDIRECTORY>" & " FOLDER_ADD_SUBDIRECTORY " & "</FOLDER_ADD_SUBDIRECTORY>"
End If
If objACE.AccessMask AND FILE_DELETE Then
WScript.Echo vbTab & "<FILE_DELETE>" & "FILE_DELETE " & "</FILE_DELETE>"
End If
If objACE.AccessMask AND FILE_DELETE_CHILD Then
WScript.Echo vbTab & "<FILE_DELETE_CHILD>" & "FILE_DELETE_CHILD " & "</FILE_DELETE_CHILD>"
End If
If objACE.AccessMask AND FOLDER_TRAVERSE Then
WScript.Echo vbTab & "<FOLDER_TRAVERSE>" & " FOLDER_TRAVERSE " & "</FOLDER_TRAVERSE>"
End If
If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
WScript.Echo vbTab & "<FILE_READ_ATTRIBUTES>" & "FILE_READ_ATTRIBUTES " & "</FILE_READ_ATTRIBUTES>"
End If
If objACE.AccessMask AND FILE_READ_CONTROL Then
WScript.Echo vbTab & "<FILE_READ_CONTROL>" & "FILE_READ_CONTROL " & "</FILE_READ_CONTROL>"
End If
If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
WScript.Echo vbTab & "<FOLDER_LIST_DIRECTORY>" & " FOLDER_LIST_DIRECTORY " & "</FOLDER_LIST_DIRECTORY>"
End If
If objACE.AccessMask AND FILE_READ_EA Then
WScript.Echo vbTab & "<FILE_READ_EA>" & "FILE_READ_EA " & "</FILE_READ_EA>"
End If
If objACE.AccessMask AND FILE_SYNCHRONIZE Then
WScript.Echo vbTab & "<FILE_SYNCHRONIZE>" & "FILE_SYNCHRONIZE " & "</FILE_SYNCHRONIZE>"
End If
If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
WScript.Echo vbTab & "<FILE_WRITE_ATTRIBUTES>" & "FILE_WRITE_ATTRIBUTES " & "</FILE_WRITE_ATTRIBUTES>"
End If
If objACE.AccessMask AND FILE_WRITE_DAC Then
WScript.Echo vbTab & "<FILE_WRITE_DAC>" & "FILE_WRITE_DAC " & "</FILE_WRITE_DAC>"
End If
If objACE.AccessMask AND FOLDER_ADD_FILE Then
WScript.Echo vbTab & "<FOLDER_ADD_FILE>" & " FOLDER_ADD_FILE " & "</FOLDER_ADD_FILE>"
End If
If objACE.AccessMask AND FILE_WRITE_EA Then
WScript.Echo vbTab & "<FILE_WRITE_EA>" & "FILE_WRITE_EA " & "</FILE_WRITE_EA>"
End If
If objACE.AccessMask AND FILE_WRITE_OWNER Then
WScript.Echo vbTab & "<FILE_WRITE_OWNER>" & "FILE_WRITE_OWNER " & "</FILE_WRITE_OWNER>"
End If
WScript.Echo "</ACL>"
Next
Else
WScript.Echo "<No_DACL>" & "No DACL present in security descriptor" & "</No_DACL>"
End If
End Sub
'
' Main Code
'
Wscript.Echo "<?xml version=" & Chr(34) & "1.0" & Chr(34) & "?>"
Wscript.Echo "<Inventory_1.0>"
Const INPUT_FILE_NAME = "C:\tools\Computers.txt"
Const FOR_READING = 1
Dim objFSO
Dim objFile
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(INPUT_FILE_NAME, FOR_READING)
strComputer = objFile.ReadAll
objFile.Close
arrComputers = Split(strComputer, vbCrLf)
For Each strComputer In arrComputers
WScript.Echo "<Computer>"
WScript.Echo "<Computer_Name>" & strComputer & "</Computer_Name>"
On Error Resume Next
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Share WHERE Type=0", "WQL",_
WBEM_RETURN_IMMEDIATELY + WBEM_FORWARD_ONLY)
For Each objItem in colItems
WScript.Echo "<Share>"
WScript.Echo "<Path>" & objItem.Path & "</Path>"
ReadDescriptor objItem.Path
WScript.Echo "</Share>"
Next
WScript.Echo "</Computer>"
Set objWMIService = Nothing
On Error Goto 0
Next
Wscript.Echo "</Inventory_1.0>"
Thanks! thats awesome :)
.
c:\documents and settings\administrator\Des
The above line will run the "setperm.bat" file(from the administrator's desktop) passing the requirements for the example bat file I gave above and output it "out.txt" (on the administrator's desktop)