Get_ACL for getting AD groups assosiated with shares

Hi EE

So I need to pull all the AD groups or users directly added to share permissions.

I was testing with the line below and I can get the Security permissions , can someone help me also pull the share permissions ? also .. it does not add the server name or share on the output file .. and it would totally help me if the share is not found or no access it can add that to the file .


get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv

 The servers.txt file I have it set as
\\ServerName\Share
LVL 2
MilesLoganAsked:
Who is Participating?
 
footechCommented:
I've added a bit more error checking.
Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_ -ErrorAction SilentlyContinue)
    {
        try {
            Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
             Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
        } catch {
            "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
        }
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
footechCommented:
Here's something I put together for another question.
http:Q_28289529.html
You can easily modify the last line to export to csv instead outputting a table.
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup
}) |
 Select Server,ShareName,Path,UserOrGroup,Type,Permission | ft -auto

Open in new window

0
 
MilesLoganAuthor Commented:
Hi footech , I get the error below .


Get-WmiObject : Invalid parameter
At E:\footest.ps1:16 char:20
+     $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
footechCommented:
The file serverlist.txt should only contain a list of server names.
0
 
MilesLoganAuthor Commented:
Hi footech .. ignore the error .. it was my mistake ..but ... it does pull share information but only for BUILTIN\Administrators .. it does not show all the AD groups that have access to the share like I was able to with .. below .

get-content servers.txt | get-acl | %{$_.access} | select filesystemrights, identityreference | Export-Csv Sharedata.csv
0
 
footechCommented:
I can't explain why you would be seeing results like that.  I have tested it on a number of servers and it always retrieves all the share permissions for every user/group.
Here's an example of output.
Server    ShareName   Path           UserOrGroup                Type  Permission  
------    ---------   ----           -----------                ----  ----------  
localhost bat-testing J:\bat-testing BUILTIN\Power Users        Allow Change      
localhost bat-testing J:\bat-testing Everyone                   Allow Read        
localhost bat-testing J:\bat-testing NT AUTHORITY\DIALUP        Deny  Change      
localhost bat-testing J:\bat-testing foo-PC\someuser            Allow Full Control

Open in new window


Also, I want to make sure we are talking about the same thing.  This shows share permissions only, not NTFS permissions.
0
 
MilesLoganAuthor Commented:
that was it .. my mistake on the write up .. I need to get NTFS permissions .
0
 
footechCommented:
OK, sorry but you've lost me.  Your code already gets the NTFS permissions.
0
 
MilesLoganAuthor Commented:
yes but it does not output the server name in the output file .. and also .. if lets say I have 10 servers on the list and it does not pull the data for 2 of them .. I cant tell which 2 it did not pull the data for .
0
 
footechCommented:
How 'bout something like this?  If the share can't be contacted it shows "N/A" for filesystemrights and identityreference.  For this servers.txt should be a list of UNC paths for the shares.

Get-Content servers.txt | % {
    $server,$share = ($_ -split "\\")[2,3]
    If (Test-Path $_)
    {
        Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
        Select @{n="server";e={$server}},@{n="share";e={$share}},filesystemrights, identityreference
    }
    Else
    {
        "" | Select @{n="server";e={$server}},@{n="share";e={$share}},@{n="filesystemrights";e={"N/A"}},@{n="identityreference";e={"N/A"}}
    }
} | Export-Csv Sharedata.csv -notype

Open in new window

0
 
MilesLoganAuthor Commented:
Hi Footech .. this worked perfect .. only issue I have if its not too much work .

I get the N/A result for shares that do not exist , but if I dont have access to a share it does not add an N/a on the results file .  

This is the error for the ones I do not have access .

Get-Acl : Attempted to perform an unauthorized operation.
At E:\footest2.ps1:5 char:9
+         Get-Acl $_ -ErrorAction SilentlyContinue | %{$_.access} |
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
0
 
MilesLoganAuthor Commented:
Awesome ! thank you footech
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.