Solved

Get_ACL for getting AD groups assosiated with shares

Posted on 2013-12-12
12
861 Views
Last Modified: 2013-12-13
Hi EE

So I need to pull all the AD groups or users directly added to share permissions.

I was testing with the line below and I can get the Security permissions , can someone help me also pull the share permissions ? also .. it does not add the server name or share on the output file .. and it would totally help me if the share is not found or no access it can add that to the file .


get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv

 The servers.txt file I have it set as
\\ServerName\Share
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39715611
Here's something I put together for another question.
http:Q_28289529.html
You can easily modify the last line to export to csv instead outputting a table.
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup
}) |
 Select Server,ShareName,Path,UserOrGroup,Type,Permission | ft -auto

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715662
Hi footech , I get the error below .


Get-WmiObject : Invalid parameter
At E:\footest.ps1:16 char:20
+     $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
0
 
LVL 40

Expert Comment

by:footech
ID: 39715680
The file serverlist.txt should only contain a list of server names.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Author Comment

by:MilesLogan
ID: 39715689
Hi footech .. ignore the error .. it was my mistake ..but ... it does pull share information but only for BUILTIN\Administrators .. it does not show all the AD groups that have access to the share like I was able to with .. below .

get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv
0
 
LVL 40

Expert Comment

by:footech
ID: 39715723
I can't explain why you would be seeing results like that.  I have tested it on a number of servers and it always retrieves all the share permissions for every user/group.
Here's an example of output.
Server    ShareName   Path           UserOrGroup                Type  Permission  
------    ---------   ----           -----------                ----  ----------  
localhost bat-testing J:\bat-testing BUILTIN\Power Users        Allow Change      
localhost bat-testing J:\bat-testing Everyone                   Allow Read        
localhost bat-testing J:\bat-testing NT AUTHORITY\DIALUP        Deny  Change      
localhost bat-testing J:\bat-testing foo-PC\someuser            Allow Full Control

Open in new window


Also, I want to make sure we are talking about the same thing.  This shows share permissions only, not NTFS permissions.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715727
that was it .. my mistake on the write up .. I need to get NTFS permissions .
0
 
LVL 40

Expert Comment

by:footech
ID: 39715731
OK, sorry but you've lost me.  Your code already gets the NTFS permissions.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715736
yes but it does not output the server name in the output file .. and also .. if lets say I have 10 servers on the list and it does not pull the data for 2 of them .. I cant tell which 2 it did not pull the data for .
0
 
LVL 40

Expert Comment

by:footech
ID: 39715877
How 'bout something like this?  If the share can't be contacted it shows "N/A" for filesystemrights and identityreference.  For this servers.txt should be a list of UNC paths for the shares.

Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_)
    {
        Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
        Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39717012
Hi Footech .. this worked perfect .. only issue I have if its not too much work .

I get the N/A result for shares that do not exist , but if I dont have access to a share it does not add an N/a on the results file .  

This is the error for the ones I do not have access .

Get-Acl : Attempted to perform an unauthorized operation.
At E:\footest2.ps1:5 char:9
+         Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39717279
I've added a bit more error checking.
Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_ -ErrorAction SilentlyContinue)
    {
        try {
            Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
             Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
        } catch {
            "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
        }
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39717554
Awesome ! thank you footech
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question