Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 924
  • Last Modified:

Get_ACL for getting AD groups assosiated with shares

Hi EE

So I need to pull all the AD groups or users directly added to share permissions.

I was testing with the line below and I can get the Security permissions , can someone help me also pull the share permissions ? also .. it does not add the server name or share on the output file .. and it would totally help me if the share is not found or no access it can add that to the file .


get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv

 The servers.txt file I have it set as
\\ServerName\Share
0
MilesLogan
Asked:
MilesLogan
  • 6
  • 6
1 Solution
 
footechCommented:
Here's something I put together for another question.
http:Q_28289529.html
You can easily modify the last line to export to csv instead outputting a table.
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup
}) |
 Select Server,ShareName,Path,UserOrGroup,Type,Permission | ft -auto

Open in new window

0
 
MilesLoganAuthor Commented:
Hi footech , I get the error below .


Get-WmiObject : Invalid parameter
At E:\footest.ps1:16 char:20
+     $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
0
 
footechCommented:
The file serverlist.txt should only contain a list of server names.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
MilesLoganAuthor Commented:
Hi footech .. ignore the error .. it was my mistake ..but ... it does pull share information but only for BUILTIN\Administrators .. it does not show all the AD groups that have access to the share like I was able to with .. below .

get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv
0
 
footechCommented:
I can't explain why you would be seeing results like that.  I have tested it on a number of servers and it always retrieves all the share permissions for every user/group.
Here's an example of output.
Server    ShareName   Path           UserOrGroup                Type  Permission  
------    ---------   ----           -----------                ----  ----------  
localhost bat-testing J:\bat-testing BUILTIN\Power Users        Allow Change      
localhost bat-testing J:\bat-testing Everyone                   Allow Read        
localhost bat-testing J:\bat-testing NT AUTHORITY\DIALUP        Deny  Change      
localhost bat-testing J:\bat-testing foo-PC\someuser            Allow Full Control

Open in new window


Also, I want to make sure we are talking about the same thing.  This shows share permissions only, not NTFS permissions.
0
 
MilesLoganAuthor Commented:
that was it .. my mistake on the write up .. I need to get NTFS permissions .
0
 
footechCommented:
OK, sorry but you've lost me.  Your code already gets the NTFS permissions.
0
 
MilesLoganAuthor Commented:
yes but it does not output the server name in the output file .. and also .. if lets say I have 10 servers on the list and it does not pull the data for 2 of them .. I cant tell which 2 it did not pull the data for .
0
 
footechCommented:
How 'bout something like this?  If the share can't be contacted it shows "N/A" for filesystemrights and identityreference.  For this servers.txt should be a list of UNC paths for the shares.

Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_)
    {
        Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
        Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
MilesLoganAuthor Commented:
Hi Footech .. this worked perfect .. only issue I have if its not too much work .

I get the N/A result for shares that do not exist , but if I dont have access to a share it does not add an N/a on the results file .  

This is the error for the ones I do not have access .

Get-Acl : Attempted to perform an unauthorized operation.
At E:\footest2.ps1:5 char:9
+         Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
0
 
footechCommented:
I've added a bit more error checking.
Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_ -ErrorAction SilentlyContinue)
    {
        try {
            Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
             Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
        } catch {
            "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
        }
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
MilesLoganAuthor Commented:
Awesome ! thank you footech
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now