Solved

Get_ACL for getting AD groups assosiated with shares

Posted on 2013-12-12
12
833 Views
Last Modified: 2013-12-13
Hi EE

So I need to pull all the AD groups or users directly added to share permissions.

I was testing with the line below and I can get the Security permissions , can someone help me also pull the share permissions ? also .. it does not add the server name or share on the output file .. and it would totally help me if the share is not found or no access it can add that to the file .


get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv

 The servers.txt file I have it set as
\\ServerName\Share
0
Comment
Question by:MilesLogan
  • 6
  • 6
12 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39715611
Here's something I put together for another question.
http:Q_28289529.html
You can easily modify the last line to export to csv instead outputting a table.
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup
}) |
 Select Server,ShareName,Path,UserOrGroup,Type,Permission | ft -auto

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715662
Hi footech , I get the error below .


Get-WmiObject : Invalid parameter
At E:\footest.ps1:16 char:20
+     $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
0
 
LVL 39

Expert Comment

by:footech
ID: 39715680
The file serverlist.txt should only contain a list of server names.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715689
Hi footech .. ignore the error .. it was my mistake ..but ... it does pull share information but only for BUILTIN\Administrators .. it does not show all the AD groups that have access to the share like I was able to with .. below .

get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv
0
 
LVL 39

Expert Comment

by:footech
ID: 39715723
I can't explain why you would be seeing results like that.  I have tested it on a number of servers and it always retrieves all the share permissions for every user/group.
Here's an example of output.
Server    ShareName   Path           UserOrGroup                Type  Permission  
------    ---------   ----           -----------                ----  ----------  
localhost bat-testing J:\bat-testing BUILTIN\Power Users        Allow Change      
localhost bat-testing J:\bat-testing Everyone                   Allow Read        
localhost bat-testing J:\bat-testing NT AUTHORITY\DIALUP        Deny  Change      
localhost bat-testing J:\bat-testing foo-PC\someuser            Allow Full Control

Open in new window


Also, I want to make sure we are talking about the same thing.  This shows share permissions only, not NTFS permissions.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715727
that was it .. my mistake on the write up .. I need to get NTFS permissions .
0
 
LVL 39

Expert Comment

by:footech
ID: 39715731
OK, sorry but you've lost me.  Your code already gets the NTFS permissions.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39715736
yes but it does not output the server name in the output file .. and also .. if lets say I have 10 servers on the list and it does not pull the data for 2 of them .. I cant tell which 2 it did not pull the data for .
0
 
LVL 39

Expert Comment

by:footech
ID: 39715877
How 'bout something like this?  If the share can't be contacted it shows "N/A" for filesystemrights and identityreference.  For this servers.txt should be a list of UNC paths for the shares.

Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_)
    {
        Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
        Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39717012
Hi Footech .. this worked perfect .. only issue I have if its not too much work .

I get the N/A result for shares that do not exist , but if I dont have access to a share it does not add an N/a on the results file .  

This is the error for the ones I do not have access .

Get-Acl : Attempted to perform an unauthorized operation.
At E:\footest2.ps1:5 char:9
+         Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39717279
I've added a bit more error checking.
Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_ -ErrorAction SilentlyContinue)
    {
        try {
            Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
             Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
        } catch {
            "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
        }
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39717554
Awesome ! thank you footech
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now