how to create a report of microsoft active directory user rights on shares

Hi, i have an active directory domain with some shares.
I need to know in one shot where an user has some folder right's and which kind of rights
He is a domain user on Ad Windows 2012.
Please ask me for details, sorry for my english.
Really thanks
M
Mattia MinerviniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I would recommend using SolarWinds Permission Analyzer. Its a great free utility for getting file permissions for users.

SolarWinds Permission Analyzer
http://www.solarwinds.com/products/freetools/permissions_analyzer_for_active_directory/

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Guy LidbetterCommented:
Hi nanoweb,

If you have a list of shares, I recently wrote a script that can generate a report of permissions for all users and also expands the groups so you can see memberships as well.
Just list the shares in a CSV file with a column called "folders"...

Give it a go and let me know if it works for you...

regards

Guy

#########################################################
#
# Shared Path ACL Report, including group membership
# Author: Guy Lidbetter
# Date: 02/06/2015
# Version 2
#
#########################################################

#Version Notes
###############################
#
# 1.0 Created report that listed Path, User Identity and Permission 
#     
# 2.0 Added Group Enumeration as well as inteligent handling of various group membership (i.e. System Account, Deleted users and Sec Group Members)
#
###############################

#Initial Variable Declaration
$error.clear()
$ShareFolders = Import-Csv c:\folder\Shares.csv
$FinalReport = @()
$SystemAccounts = @()
$SystemAccounts = "NT AUTHORITY\SYSTEM", "CREATOR OWNER", "BUILTIN\Administrators", "BUILTIN\Users"

#Parse list of shares in provided CSV file
Foreach ($SendFolder in $ShareFolders) {
	$path = $SendFolder.Folders
	
	#Validate Share path as active	
	Try {		
		$PathExist = Test-Path $Path -ErrorAction stop
	}
	Catch [System.Management.Automation.ActionPreferenceStopException] {
		Write-Host "Insufficient Rights - Access Denied" -Foregroundcolor Red
		$AclUser = New-Object PSObject -Property @{
			Path = $Path
			User = "Insufficient rights to determine"
			Rights = "Insufficient rights to determine"
			Object = ""
			Members = ""
			Domain = ""
		}
		$FinalReport += $AclUser
	}
	
	#If Path is active retrieve requried information
	IF ($PathExist) {
		Write-host $Path -Foregroundcolor Blue
		$acl = Get-Acl $path
 		#Gathering each objects particular details
		foreach($accessRule in $acl.Access) {
			Write-Host  $path $accessRule.IdentityReference $accessRule.FileSystemRights
			#Gather Objects domain attributes
			$AclObj = $accessRule.IdentityReference.value
			$ObjDomain = $AclObj.Split('\')[0]
			$ObjSam = $AclObj.Split('\')[1]
			$ObjDomainDC = (netdom query /d:$ObjDomain dc)[2]
			
			#Identify type of object and assign attributes to be reported on
			IF ($SystemAccounts -contains $AclObj) {
				Write-Host $AclObj "is a System Account" -Foregroundcolor Cyan
				$ObjValue = "System Account"
				$ObjMembers = ""
			}
			ELSEIF ($AclObj -like "*Domain Users") {
				Write-Host $AclObj "All Users in" $AclObj.Split('\')[0] "Domain" -Foregroundcolor Cyan
				$ObjValue = "All Users in " + $AclObj.Split('\')[0] + " Domain"
				$ObjMembers = "EVERYONE in " + $AclObj.Split('\')[0] + " Domain"
			}
			ELSEIF ($AclObj -like "*Domain Admins") {
				Write-Host $AclObj "Domain Admins in" $AclObj.Split('\')[0] "Domain" -Foregroundcolor Cyan
				$ObjValue = "Domain Admins in " + $AclObj.Split('\')[0] + " Domain"
				$ObjMembers = "Domain Admins in " + $AclObj.Split('\')[0] + " Domain"
			}
			#Find Object Class (User\Group) and get attributes (Group Members if group) needed for report
			ELSE {
				$ObjClass = (Get-ADObject -filter {SamAccountName -eq $ObjSam} -Server $ObjDomainDC).ObjectClass
				IF ($ObjClass -eq "user") {
					Write-Host $AclObj "is a User in" $ObjDomain "Domain" -Foregroundcolor Cyan
					$ObjValue = "User"
					$ObjMembers = ""
				}
				ELSEIF ($ObjClass -eq "group") {
					Write-Host $AclObj "is a Security Group in" $ObjDomain "Domain" -Foregroundcolor Cyan
					$ObjValue = "Group"
					$ObjUserList = (Get-ADGroupMember $ObjSam -Server $ObjDomainDC).Name
					[String]$ObjMembers = ""
					ForEach ($ObjUser in $ObjUserList) {
						$ObjMembers = $ObjMembers + $ObjUser + ","
					}
					$ObjMembers = $ObjMembers -replace ".$"
				}
				ELSE {
					Write-Host "Unkown Object of Class" $ObjClass -Foregroundcolor Red
					$ObjValue = "Unkown Object of Class " + $ObjClass
					$ObjMembers = ""
				}
			}
			#Assign all object attributes retrieved to Report Variable
			$AclUser = New-Object PSObject -Property @{
				Path = $Path
				Domain = $ObjDomain
				User = $ObjSam
				Rights = $accessRule.FileSystemRights
				Object = $ObjValue
				Members = $ObjMembers
				}
		
			$FinalReport += $AclUser
		}	
	}
	ELSE {
		Write-Host "$Path does not exist" -foregroundcolor Yellow
		$AclUser = New-Object PSObject -Property @{
			Path = $Path
			User = "Path Does Not Exist"
			Rights = ""
			Object = ""
			Members = ""
			Domain = ""
		}
		$FinalReport += $AclUser	
	}
}


$FinalReport | Select Path, Domain, User, Rights, Object, Members | Export-Csv Final_ACL_Report.csv -nti		
$error | out-file error.log

Open in new window

0
Mattia MinerviniAuthor Commented:
fast and functional solution.Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.