Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Audit file share ACL

Posted on 2015-01-12
20
242 Views
Last Modified: 2015-05-07
Hi All,

I have been asked to audit the file shares on our network.

Does anyone have a script/sample code I can run?

Last time I did it I use CACLS, which has been superseded by ICACLS.


Many thanks
D
0
Comment
Question by:detox1978
  • 8
  • 4
  • 4
  • +1
20 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40544831
When you say audit... do you want to enable auditing on share folder
OR
You want to record file share permissions \ audit entries \ ownership and so on?

Both concepts are totally different

For 1st concept, you need to enable auditing GPO (Audit object access) on OU containing file server and later need to enable auditing on actual share folder
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

For 2nd concept you can use Subinacl tool to record all permissions including audit entries
http://blogs.technet.com/b/justinturner/archive/2009/02/26/quick-tip-back-up-your-ntfs-security-permissions.aspx
0
 
LVL 40

Expert Comment

by:footech
ID: 40544874
Even though cacls has been deprecated you can still use it.
The question becomes what do you need from the audit?
0
 
LVL 6

Expert Comment

by:Kiran Ch
ID: 40544879
Something like this would work for you?

get-childitem C:\test -recurse | where-object { $_.PSIScontainer }  | Get-Acl | Out-GridView
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Author Comment

by:detox1978
ID: 40545362
Just to clarify I'm looking to get a file of NTFS permissions.  Ideally filtering our the inherited.
0
 
LVL 2

Author Comment

by:detox1978
ID: 40545384
chkiran248, how do I output the results to a csv file?  Also, how can I get the full path.
0
 
LVL 40

Accepted Solution

by:
footech earned 168 total points
ID: 40548096
It's not quite clear what information you need exactly.  Files, folders, both?
Here's an example of just folders, where permissions are not inherited, exported to a .CSV file.
Get-ChildItem C:\ -recurse | Where { $_.PSIScontainer }  | Get-Acl | ForEach `
{
    $fullpath = Convert-Path $_.pspath
    $_.Access | ? { -not $_.IsInherited } | Select @{n="Path";e={$fullpath}},AccessControlType,FileSystemRights,IdentityReference
} | Export-CSV permission-report.csv -notype

Open in new window

0
 
LVL 2

Author Comment

by:detox1978
ID: 40548569
I'm looking to get list of NTFS users/groups for all files and folders for a given path e.g. d:\data

If possible (i dont mind doing it in Excel), I would only want to list the explicit access.  So ignore inherited.
0
 
LVL 2

Author Comment

by:detox1978
ID: 40548577
On second thoughts, I dont need the files ACL.

Any idea how to only get explicit ACL for folders?
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 40548581
Subinacl actually report all NTFS permissions to text file with audit, owners excluding inheritence
Check 1st comment

OR
Try NTFS permissions reporter free version
http://www.cjwdev.com/Software/NtfsReports/Info.html
Free edition will give report to html format
0
 
LVL 2

Author Comment

by:detox1978
ID: 40548633
Mahesh, did you just google cjwdev.com, or have you used the application before?
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40548669
You could have already googled it.
I have used tool previously, its nice working
0
 
LVL 2

Author Comment

by:detox1978
ID: 40549124
The reason I ask is the website doesnt fill me with confidence.
0
 
LVL 40

Expert Comment

by:footech
ID: 40549229
Did you try the script I posted?  It appears to be exactly what you asked for.

Regarding cjwdev.com - I often see his tools recommended by a number of the top participating experts here, and as such I would trust the tools.  However, I haven't had a need to use any of the tools personally.
0
 
LVL 2

Author Comment

by:detox1978
ID: 40549560
It doesn't highlight inheritance
0
 
LVL 6

Assisted Solution

by:Kiran Ch
Kiran Ch earned 166 total points
ID: 40549715
It is not highlighting inheritance because it is filtering it out the folders which have inheritance and it will only give the one's which are not inherited.
Anyhow, you can also take a look at this, this has the last column for inheritance : http://poshcode.org/1721
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40549780
The NTFS permissions reporter tool has option to show \ hide inherited permissions during export \ output
0
 
LVL 40

Expert Comment

by:footech
ID: 40549986
Just wanted to clarify that it doesn't filter out the folders with inheritance, just the permissions on a folder which are inherited.
0
 
LVL 2

Author Comment

by:detox1978
ID: 40550125
Ok I will check it again
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question