We help IT Professionals succeed at work.

Need some help in producing Powershell script to compare directory ICACLS and Net share result ?

275 Views
Last Modified: 2017-04-26
I had this question after viewing SYSVOL folder permission security best practice ?.

Hi All,

I'd like to know if anyone here can assist with Powershell to show the difference from the reference server against the other servers in the list ?

$Results = @()
$Domain_Controllers = Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
$Domain_Controllers | ForEach-Object {
    $ServerName = $($_.DNSHostName)
    Write-Host "Processing $($_.DNSHostName) "
    $StartPath = "\\$($_.DNSHostName)\Sysvol\"
    Write-Host " Start Path: $StartPath "
    $DC_SysVol_Paths = Get-ChildItem -LiteralPath $StartPath -Recurse |  where-object { $_.PSIsContainer } 
	.....
	# Script Goes Here
	net share SYSVOL
	icacls C:\Windows\SYSVOL\sysvol
	icacls C:\Windows\SYSVOL\sysvol\MyDomain.com\scripts
	.....
}
$Results | Export-CSV -Path C:\TEMP\Result_ACLs.csv -NoTypeInformation

Open in new window


My goal is to take the result from one server, let say PRODDC11-VM which is recently built:

##############################################################################################
PS C:\> net share SYSVOL
Share name        SYSVOL
Path              C:\Windows\SYSVOL\sysvol
Remark            Logon server share
Maximum users     No limit
Users
Caching           Manual caching of documents
Permission        Everyone, READ
                  BUILTIN\Administrators, FULL
                  NT AUTHORITY\Authenticated Users, FULL

The command completed successfully.
##############################################################################################
PS C:\> icacls C:\Windows\SYSVOL\sysvol
C:\Windows\SYSVOL\sysvol NT AUTHORITY\Authenticated Users:(RX)
                         NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
                         BUILTIN\Server Operators:(RX)
                         BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
                         BUILTIN\Administrators:(RX,W,WDAC,WO)
                         BUILTIN\Administrators:(OI)(CI)(IO)(WDAC,WO,GR,GW,GE)
                         NT AUTHORITY\SYSTEM:(F)
                         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                         BUILTIN\Administrators:(RX,W,WDAC,WO)
                         CREATOR OWNER:(OI)(CI)(IO)(WDAC,WO,GR,GW,GE)

Successfully processed 1 files; Failed processing 0 files
##############################################################################################
PS C:\> icacls C:\Windows\SYSVOL\sysvol\MyDomain.com\scripts
C:\Windows\SYSVOL\sysvol\MyDomain.com.au\scripts CREATOR OWNER:(OI)(CI)(IO)(F)
                                               NT AUTHORITY\Authenticated Users:(OI)(CI)(F)
                                               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                               BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                               BUILTIN\Administrators:(RX,W,WDAC,WO)
                                               BUILTIN\Server Operators:(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files
##############################################################################################

and then compare it with the other server and show me what's the difference from the PRODDC11-VM reference server.

Against the other server.

Thanks.
Comment
Watch Question

Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
@McKnife, the reference server was newly built last week, while the other 20 Domain Controllers has been around since 4-5 years ago.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Oh really? Why do you mention their age? Do you fear that a permission reset would break things?
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
@Chris,

This is the single script that I normally use for single file server directory permission:

Get-childitem "C:\Windows\SYSVOL\sysvol" -recurse | where{$_.psiscontainer} |
Get-Acl | % {
	$path = $_.Path
	$_.Access | % {
		New-Object PSObject -Property @{
			Folder = $path.Replace("Microsoft.PowerShell.Core\FileSystem::","")
			Access = $_.FileSystemRights
			Control = $_.AccessControlType
			User = $_.IdentityReference
			Inheritance = $_.IsInherited
		}
	}
} | ? {-not $_.Inheritance} | export-csv C:\TEMP\Result.csv -NoTypeInformation

Open in new window


How can the script above customized to include the other domain controllers in the AD domain ?
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Oh really? Why do you mention their age? Do you fear that a permission reset would break things?

yes, because some of them still in 2008 R2 and also 2012, Someone has been tampering it before I join this company, so I need to set it all to standard.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
OK, so, in this case, the reference server permission below should or must be the same with all Domain Controllers irrespective what the OS is:

##############################################################################################
PS C:\> net share SYSVOL
Share name        SYSVOL
Path              C:\Windows\SYSVOL\sysvol
Remark            Logon server share
Maximum users     No limit
Users
Caching           Manual caching of documents
Permission        Everyone, READ
                  BUILTIN\Administrators, FULL
                  NT AUTHORITY\Authenticated Users, FULL

The command completed successfully.
#################################################################
PS C:\> icacls C:\Windows\SYSVOL\sysvol
C:\Windows\SYSVOL\sysvol NT AUTHORITY\Authenticated Users:(RX)
                         NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
                         BUILTIN\Server Operators:(RX)
                         BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
                         BUILTIN\Administrators:(RX,W,WDAC,WO)
                         BUILTIN\Administrators:(OI)(CI)(IO)(WDAC,WO,GR,GW,GE)
                         NT AUTHORITY\SYSTEM:(F)
                         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                         BUILTIN\Administrators:(RX,W,WDAC,WO)
                         CREATOR OWNER:(OI)(CI)(IO)(WDAC,WO,GR,GW,GE)

Successfully processed 1 files; Failed processing 0 files
#################################################################
PS C:\> icacls C:\Windows\SYSVOL\sysvol\MyDomain.com\scripts
C:\Windows\SYSVOL\sysvol\MyDomain.com.au\scripts CREATOR OWNER:(OI)(CI)(IO)(F)
                                               NT AUTHORITY\Authenticated Users:(OI)(CI)(F)
                                               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                               BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                               BUILTIN\Administrators:(RX,W,WDAC,WO)
                                               BUILTIN\Server Operators:(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files
#################################################################
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
For the folders themselves, yes. For the policies folder directly below sysvol however, make sure to not let them inherit those permissions. That would be a new question, in case, you will ask "and how do I do that".
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
For the folders themselves, yes. For the policies folder directly below sysvol however, make sure to not let them inherit those permissions. That would be a new question, in case, you will ask "and how do I do that".

lol, no need McKnife ;-) I know how to prevent the inheritance from the SYSVOL folder and the below.
I will make sure to prevent any inheritance from the SYSVOL and scripts folder.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Thanks !
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.