Scan servers for all shares and list permissions

I need a way to scan every server that is in "servers".txt file
It would scan to see what shares are listed on the server, and list the share/NTFS permissions
It would save a new file per servername...


So servers.txt would have server1 server2 server3 etc.

So it would scan each server, then create a file named server1_shares.txt
that list all share/NTFS permissions (group or individual) and export into its one file.

same for each server in servers.txt

Then make it so it can be imported into Excel, for sorting, filtering and etc.
LVL 5
IndyrbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IndyrbAuthor Commented:
maybe even ping the server first to see if its reachable and if it is, scan, and if not. report its error.
0
ste5anSenior DeveloperCommented:
Either you use PowerShell or AccessEnum.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IndyrbAuthor Commented:
can you give me an example?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

footechCommented:
Here's a post that does the share permissions - Q_28391796
You would need to change line 62 to get a .CSV file.
Export-CSV shareinfo-$server.csv -notype
The header and body variables could also be removed as those are specific for generating the HTML.

But for NTFS permissions I think you would have to create a separate .CSV file, as that info wouldn't merge into a .CSV that lists share permissions (the columns/data involved are different).
0
IndyrbAuthor Commented:
in the post you mentioned there was two part...

orginal
========================
 Get-Content servers.txt |
      ForEach-Object{
          # call script file and pass variable $_ which is current line of file
          c:\folder\filename.ps1 -server $_
      }

 ========================
Function Get-SharePermissions($ShareName){
    $Share = Get-WmiObject win32_LogicalShareSecuritySetting -Filter "name='$ShareName'"
    if($Share){
        $obj = @()
        $ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
        foreach($ACL in $ACLS){
            $User = $ACL.Trustee.Name
            if(!($user)){$user = $ACL.Trustee.SID}
            $Domain = $ACL.Trustee.Domain
            switch($ACL.AccessMask)
            {
                2032127 {$Perm = "Full Control"}
                1245631 {$Perm = "Change"}
                1179817 {$Perm = "Read"}
            }
            $obj = $obj + "$Domain\$user  $Perm<br>"
        }
    }
    if(!($Share)){$obj = " ERROR: cannot enumerate share permissions. "}
    Return $obj
} # End Get-SharePermissions Function

Function Get-NTFSOwner($Path){
    $ACL = Get-Acl -Path $Path
    $a = $ACL.Owner.ToString()
    Return $a
} # End Get-NTFSOwner Function

Function Get-NTFSPerms($Path){
    $ACL = Get-Acl -Path $Path
    $obj = @()
    foreach($a in $ACL.Access){
        $aA = $a.FileSystemRights
        $aB = $a.AccessControlType
        $aC = $a.IdentityReference
        $aD = $a.IsInherited
        $aE = $a.InheritanceFlags
        $aF = $a.PropagationFlags
        $obj = $obj + "$aC | $aB | $aA | $aD | $aE | $aF <br>"
    }
    Return $obj
} # End Get-NTFSPerms Function

Function Get-AllShares{
    $a = Get-WmiObject win32_share -Filter "type=0"
    Return $a
} # End Get-AllShares Function

# Create Webpage Header
$z = "<!DOCTYPE html PUBLIC `"-//W3C//DTD XHTML 1.0 Strict//EN`"  `"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd`">"
$z = $z + "<html xmlns=`"http://www.w3.org/1999/xhtml`">"
$z = "<head><style>"
$z = $z + "TABLE{border-width: 2px;border-style: solid;border-color: black;border-collapse: collapse;}"
$z = $z + "TH{border-width: 2px;padding: 4px;border-style: solid;border-color: black;background-color:lightblue;text-align:left;font-size:14px}"
$z = $z + "TD{border-width: 1px;padding: 4px;border-style: solid;border-color: black;font-size:12px}"
$z = $z + "</style></head><body>"
$z = $z + "<H4>File Share Report for $env:COMPUTERNAME</H4>"
$z = $z + "<table><colgroup><col/><col/><col/><col/><col/><col/></colgroup>"
$z = $z + "<tr><th>ShareName</th><th>Location</th><th>NTFSPermissions<br>IdentityReference|AccessControlType|FileSystemRights|IsInherited|InheritanceFlags|PropagationFlags</th><th>NTFSOwner</th><th>SharePermissions</th><th>ShareDescription</th></tr>"

$MainShares = Get-AllShares
Foreach($MainShare in $MainShares){
    $MainShareName = $MainShare.Name
    $MainLocation = $MainShare.Path
    $MainNTFSPermissions = Get-NTFSPerms -Path $MainLocation
    $MainNTFSOwner = Get-NTFSOwner -Path $MainLocation
    $MainSharePermissions = Get-SharePermissions -ShareName $MainShareName
    $MainShareDescription = $MainShare.Description
    
    $z = $z + "<tr><td>$MainShareName</td><td>$MainLocation</td><td>$MainNTFSPermissions</td><td>$MainNTFSOwner</td><td>$MainSharePermissions</td><td>$MainShareDescription</td></tr>"
}
$z = $z + "</table></body></html>"
$OutFileName = $env:COMPUTERNAME + "ShareReport.html"
Out-File -FilePath .\$OutFileName -InputObject $z -Encoding ASCII
$OutFileItem = Get-Item -Path .\$OutFileName
Write-Host " Report available here: $OutFileItem" -Foregroundcolor Yellow
Exit

Open in new window


Then what you advised
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

# Create Webpage Header
$head = @"
<style>
TABLE{border-width: 2px;border-style: solid;border-color: black;border-collapse: collapse;}
TH{border-width: 2px;padding: 4px;border-style: solid;border-color: black;background-color:lightblue;text-align:left;font-size:14px}
TD{border-width: 1px;padding: 4px;border-style: solid;border-color: black;font-size:12px}
</style>
"@

$body = @"
<H4>File Share Report for $server</H4>
"@

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup |
     Select ShareName,Path,UserOrGroup,Type,Permission |
     ConvertTo-Html -Head $head -Body $body | Out-File shareinfo-$server.html -Encoding ascii
})

Open in new window


Is the one you put, the only thing I need, even if I kept as HTML
or is it a piece of first original and piece of yours..

Can you list the entire code please
0
footechCommented:
The link should take you directly to my post in the other question.  That's the one I was referring to.  Also, in my post above I meant the change should be made to line 61 (not 62).
0
IndyrbAuthor Commented:
So all I need is your code...

I am confused.. So ignore what the other guy wrote and just say yours as a ps1 and run against servers.txt
0
IndyrbAuthor Commented:
serverlist.txt
0
footechCommented:
Yes.
0
IndyrbAuthor Commented:
Getting error:

Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

At F:\share.ps1:29 char:33
+     $shareInfo = @(Get-WmiObject <<<<  Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], COMException
    + FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
0
IndyrbAuthor Commented:
I verified ping.
enter in FQDN

Also I am able to run other batch scripts against servers, same ang get output..

So I know they are online
0
footechCommented:
Make sure that the remote server's firewall is allowing WMI traffic.
0
IndyrbAuthor Commented:
can you use a combo of psexec and ps1?
0
IndyrbAuthor Commented:
so if I wanted to export to excel which line and can we only list groups or users with authenticated users either on share or ntfs. effective permissions
and exclude those that only have list and traverse
0
IndyrbAuthor Commented:
Thx in advance for your help
0
footechCommented:
RE: psexec - maybe, I've never tried.  At the least you would have to make the script save to a file on the remote server rather than piping it back to your local machine, or maybe you could get it to save to a UNC path.  But I can't test all of that out for you.

I already answered the question about Excel - use the Export-Csv command.
I'm not sure I understand your last question.  First get the script to run for you so you can see its output.  But it doesn't do NTFS permissions, only share permissions.  For getting NTFS permissions in a format you need I think you would be better served to open another question, or try searching through previous questions here or the MS Script Repository.
0
IndyrbAuthor Commented:
I am having a rough time due to firewall or wmi

how do I run locally without server list and export to excel using orginal code that grabs ntfs and share and filter authenticated users
0
footechCommented:
Try just putting "localhost" in the serverlist.txt file.
0
IndyrbAuthor Commented:
but I need it to do both share and ntfs like about - but instead of html it needs excel. I tried adding your code instead of the html part but it errors. in addition I need to only list authenticated users
0
footechCommented:
I'll try to make this easy for you.
$typehash = @{
    0 = "Allow"
    1 = "Deny"
    }

$permhash = @{
    1179817 = "Read"
    1245631 = "Change"
    2032127 = "Full Control"
    }

$servers = Get-Content serverlist.txt

@(foreach ($server in $servers)
{
    $shareInfo = @(Get-WmiObject Win32_Share -ComputerName $server -filter "type = 0" | Select Name,Path)
    @(foreach ($share in $shareInfo)
    {
        $shareACL = (Get-WmiObject Win32_LogicalShareSecuritySetting -ComputerName $server -filter "name = '$($share.name)'").GetSecurityDescriptor().Descriptor.DACL
        $shareACL | ForEach `
        {
            $user = If ($_.Trustee.Domain)
                    { $_.Trustee.Domain, $_.Trustee.Name -join "\" }
                    Else
                    { $_.Trustee.Name }
            $type = switch ($_.AceType)
                    {
                        0 { $typehash[0]; break }
                        1 { $typehash[1]; break}
                    }
            $perm = switch ($_.AccessMask)
                    {
                        1179817 { $permhash[1179817]; break }
                        1245631 { $permhash[1245631]; break }
                        2032127 { $permhash[2032127]; break }
                    }
            New-Object PsObject -Property @{
                    Server = $server
                    ShareName = $share.name
                    Path = $share.path
                    UserOrGroup = $user
                    Type = $type
                    Permission = $perm
                    }
        }
    }) | Sort Server,ShareName,UserOrGroup |
     Select ShareName,Path,UserOrGroup,Type,Permission |
     Export-CSV shareinfo-$server.csv -notype
})

Open in new window


As I've mentioned, I don't have anything for the NTFS part.
0
IndyrbAuthor Commented:
I appreciate it, but I need more the ntfs permissions than share... and if they could be enumerated together that would be awesome.. the above looks great... just need ntfs too. -- Ideas? thoughts? at minimal just need NTFS
0
NVITCommented:
Here's one for listing ntfs permissions:
Adjust $RootPath and $OutFile accordingly.

$RootPath = "\\server\share" # Insert your share path
$OutFile = "C:\temp\Permissions1.csv" # Insert folder path where you want to save your file and its name

$Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
$FileExist = Test-Path $OutFile 
If ($FileExist -eq $True) {Del $OutFile} 
Add-Content -Value $Header -Path $OutFile 


$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders){
	$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
	Foreach ($ACL in $ACLs){
	$OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
	Add-Content -Value $OutInfo -Path $OutFile 
	}} 

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.