Solved

Get_ACL for getting AD groups assosiated with shares

Posted on 2013-12-12
12
854 Views
Last Modified: 2013-12-13
Hi EE

So I need to pull all the AD groups or users directly added to share permissions.

I was testing with the line below and I can get the Security permissions , can someone help me also pull the share permissions ? also .. it does not add the server name or share on the output file .. and it would totally help me if the share is not found or no access it can add that to the file .


get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv

 The servers.txt file I have it set as
\\ServerName\Share
0
Comment
Question by:MilesLogan
  • 6
  • 6
12 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39715611
Here's something I put together for another question.
http:Q_28289529.html
You can easily modify the last line to export to csv instead outputting a table.
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup
}) |
 Select Server,ShareName,Path,UserOrGroup,Type,Permission | ft -auto

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715662
Hi footech , I get the error below .


Get-WmiObject : Invalid parameter
At E:\footest.ps1:16 char:20
+     $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
0
 
LVL 40

Expert Comment

by:footech
ID: 39715680
The file serverlist.txt should only contain a list of server names.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Author Comment

by:MilesLogan
ID: 39715689
Hi footech .. ignore the error .. it was my mistake ..but ... it does pull share information but only for BUILTIN\Administrators .. it does not show all the AD groups that have access to the share like I was able to with .. below .

get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv
0
 
LVL 40

Expert Comment

by:footech
ID: 39715723
I can't explain why you would be seeing results like that.  I have tested it on a number of servers and it always retrieves all the share permissions for every user/group.
Here's an example of output.
Server    ShareName   Path           UserOrGroup                Type  Permission  
------    ---------   ----           -----------                ----  ----------  
localhost bat-testing J:\bat-testing BUILTIN\Power Users        Allow Change      
localhost bat-testing J:\bat-testing Everyone                   Allow Read        
localhost bat-testing J:\bat-testing NT AUTHORITY\DIALUP        Deny  Change      
localhost bat-testing J:\bat-testing foo-PC\someuser            Allow Full Control

Open in new window


Also, I want to make sure we are talking about the same thing.  This shows share permissions only, not NTFS permissions.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715727
that was it .. my mistake on the write up .. I need to get NTFS permissions .
0
 
LVL 40

Expert Comment

by:footech
ID: 39715731
OK, sorry but you've lost me.  Your code already gets the NTFS permissions.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715736
yes but it does not output the server name in the output file .. and also .. if lets say I have 10 servers on the list and it does not pull the data for 2 of them .. I cant tell which 2 it did not pull the data for .
0
 
LVL 40

Expert Comment

by:footech
ID: 39715877
How 'bout something like this?  If the share can't be contacted it shows "N/A" for filesystemrights and identityreference.  For this servers.txt should be a list of UNC paths for the shares.

Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_)
    {
        Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
        Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39717012
Hi Footech .. this worked perfect .. only issue I have if its not too much work .

I get the N/A result for shares that do not exist , but if I dont have access to a share it does not add an N/a on the results file .  

This is the error for the ones I do not have access .

Get-Acl : Attempted to perform an unauthorized operation.
At E:\footest2.ps1:5 char:9
+         Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39717279
I've added a bit more error checking.
Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_ -ErrorAction SilentlyContinue)
    {
        try {
            Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
             Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
        } catch {
            "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
        }
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39717554
Awesome ! thank you footech
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
A brief introduction to what I consider to be the best editor for PowerShell.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question