PowerShell: Reporting NTFS Permissions of Windows File Shares

As I mentioned in my previous post, I am new to the PowerShell arena.  I recently had a request to report the NTFS permissions on a Windows File Share and all it’s sub-directories.  So I decided to see how I could get PowerShell to do this.  After looking at multiple scripts and modifying them to suit my needs, I think I have a pretty decent solution to the request that was made.

SOLUTION

1) Copy the following code into a text editor and save the file as C:\PowerShell\GetAllACL.ps1


#Set variables
$path = Read-Host "Enter the path you wish to check"
$filename = Read-Host "Enter Output File Name"
$date = Get-Date

#Place Headers on out-put file
$list = "Permissions for directories in: $Path"
$list | format-table | Out-File "C:\Powershell\Results\$filename"
$datelist = "Report Run Time: $date"
$datelist | format-table | Out-File -append "C:\Powershell\Results\$filename"
$spacelist = " "
$spacelist | format-table | Out-File -append "C:\Powershell\Results\$filename"

#Populate Folders Array
[Array] $folders = Get-ChildItem -path $path -force -recurse | Where {$_.PSIsContainer}

#Process data in array
ForEach ($folder in [Array] $folders)
{
#Convert Powershell Provider Folder Path to standard folder path
$PSPath = (Convert-Path $folder.pspath)
$list = ("Path: $PSPath")
$list | format-table | Out-File -append "C:\Powershell\Results\$filename"

Get-Acl -path $PSPath | Format-List -property AccessToString | Out-File -append "C:\Powershell\Results\$filename"

} #end ForEach

2) Open PowerShell
3) At the prompt, enter C:\PowerShell\GetAllACL.ps1
4) You will be prompted for the Path to the share or folder, enter as a UNC Path (\\server\share\folder)
5) You will next be prompted for the output file name. (Ex. share_folder_ACL.txt)
6) Check the output file for the results.

NOTES

Make sure C:\PowerShell\Results exists before running the script. Or if you modified the paths, make sure the directory structure is in place beforehand.

Make sure you follow the instructions in my first PowerShell post – PowerShell: Execution of Scripts is Disabled on This System

Advertisements
This entry was posted in PowerShell, Windows 7, Windows Server and tagged , , , , , , . Bookmark the permalink.

32 Responses to PowerShell: Reporting NTFS Permissions of Windows File Shares

  1. Anonymous says:

    Sweet Script.
    Thank You .

  2. Brian Marofsky says:

    How could I get this to enumerate file perms as well. I tested it and only see perms for the folders.

    Thanks.

    • Brian says:

      Brian, I made some modifications to the script. The main change was to the Get-ChildItem parameters. It now no longer limits to containers (folders).

      Let me know if it does what you are after:

      #Set variables
      $path = Read-Host "Enter the path you wish to check"
      $filename = Read-Host "Enter Output File Name"
      $date = Get-Date

      #Place Headers on out-put file
      $list = "Permissions for directories in: $Path"
      $list | format-table | Out-File "C:\Powershell\Results\$filename"
      $datelist = "Report Run Time: $date"
      $datelist | format-table | Out-File -append "C:\Powershell\Results\$filename"
      $spacelist = " "
      $spacelist | format-table | Out-File -append "C:\Powershell\Results\$filename"

      #Populate Folders & Files Array
      [Array] $files = Get-ChildItem -path $path -force -recurse

      #Process data in array
      ForEach ($file in [Array] $files)
      {
      #Convert Powershell Provider Folder Path to standard folder path
      $PSPath = (Convert-Path $file.pspath)
      $list = ("Path: $PSPath")
      $list | format-table | Out-File -append "C:\Powershell\Results\$filename"

      Get-Acl -path $PSPath | Format-List -property AccessToString | Out-File -append "C:\Powershell\Results\$filename"

      } #end ForEach

      • dale novotniak says:

        how can i prompt for a single user as i need to check an employess access from time to time ..

  3. Brian says:

    Brian,
    I’ve been working on a simular script but I’m trying to do something a little bit different. I only want it to record the folder and permissions if it has a domain group or domain users listed.

    Got any ideas?

    Thanks

    • Brian says:

      Brian,

      I imagine we can filter the results to only show permission for domain groups and users. Let me see that I can find out for you. Thanks for reading and commenting!

  4. Dave says:

    Hey, I think this is great, and helped a newbie get started with permission auditing. I’m trying to do something a bit different and looking for some pointers. I’d like to run a report that reads a top level folder and writes the information out with a summary and exceptions rather than a full list of folders and security settings.

    For example,
    Results for:
    \\server\share\folder
    AccessToString: ….

    Total Sub-folder count:
    Matching folder count:
    Exception folder count:

    List of AccessToString exceptions…

    This would shrink the report to several pages for large audits by limiting the report to the summary and child folders with permissions that differ from the root folder.

    I hope I was clear enough with the above information,

    • Brian says:

      Hey Dave,

      Sorry for the delay in response, but I have been pretty tied up at work lately. I’ll see what I can come up with to provide the reporting you are looking for. I am no expert at powershell so it may take some time. If you find the solution in the meantime, let me know! Thanks for commenting. Hopefully I my post continue to be helpful to you in the future.

  5. Son says:

    Hi Brian,

    How would I incorporate a return onto your PS script? I’d like to only do recursive on say the first 3 level of folders. I found another article regarding on how to do this; however, having a very difficult time incorporating it into this. It does not help that I do not know anything on PS yet, hehe. Here’s the link to the other post: http://social.technet.microsoft.com/Forums/eu/ITCG/thread/e6a81cc8-822e-42f7-8a70-c0d8637c111e

  6. Kimil Pillay says:

    thanks for you help Brian

    it worked wonders for me

  7. Pingback: Rechte von Ordner unter Windows 7 auslesen | Tutorials from tor.eu

  8. David says:

    Would it be possible to read in a list of shares from a text file and run the process on all the shares and put them into the same output file?

  9. sdf says:

    Yes, its Possible to read the share from a text file. You need to create another variable for that.

  10. Pingback: Auditing and setting NTFS permissions? | Jacques DALBERA's IT world

  11. Anonymous says:

    Thank you ! :)

  12. @JCS_STR says:

    Thank you! Worked like a charm :)

  13. Aaron says:

    Love the script, but I was trying for a lightly different result. I want the perms JUST on the Root folder itself. The Output I get from your script is the folders contained in the root share. For example my path given to your script is \\servername\apps I want the perms for Apps and I don’t need the subfolders or files included. I can massage the output, but in my results I am not seeing the perms for Apps just the folders within apps. Otherwise I am getting the information in the most readable format I have found from many scripts I have tried. I like yours best.

    Thank you,

    Aaron

  14. sajjad haider says:

    Is there any possibility to scan all the domain network with list of all servers for security permisions I want to get CSV file of all servers for audit purpose to know where everyone access is enabled in network share folders

  15. Anonymous says:

    I would try network detective http://www.rapidfiretools.com/nd/ or just try this on all of the root directories of every server.

  16. Darren says:

    How do i get the permissions for a specific directory without it getting it from all the sub-directories as well.

    • Brian says:

      You can eliminate most of this script to find the permissions for a single folder by using:

      Get-Acl -path PathToFolder | Format-List -property AccessToString | Out-File -append “C:\Powershell\Results\$filename”

  17. Mersild says:

    I get errors about the file name and path being to long. Do you have a workaround or any suggestions?

    PS C:\PowerShell> C:\PowerShell\GetAllACL.ps1
    Enter the path you wish to check: \\SW00K499.ic.corp.local\S-DPT-IT
    Enter Output File Name: Shared_Folders_ACL.txt
    Get-ChildItem : The specified path, file name, or both are too long. The fully qualified file name must be less than 26
    0 characters, and the directory name must be less than 248 characters.
    At C:\PowerShell\GetAllACL.ps1:15 char:33
    + [Array] $folders = Get-ChildItem <<<< -path $path -force -recurse | Where {$_.PSIsContainer}
    Get-ChildItem : The specified path, file name, or both are too long. The fully qualified file name must be less than 26
    0 characters, and the directory name must be less than 248 characters.
    At C:\PowerShell\GetAllACL.ps1:15 char:33

  18. Davidk says:

    Great script. Is there a way to sort the output to only folders that do not have any AD groups assigned to them.

  19. Andy says:

    is there ayway I can output to a excel file that I can then filter?

  20. Pingback: Fix Powershell Enable Windows Error Reporting Windows XP, Vista, 7, 8 [Solved]

  21. Mahmoud says:

    can i get result for my file-server subfolders permissions for example : UNC Path \\server\
    then i get all subfolders under this server name.

  22. Asim Khan says:

    Hi Brian
    Can i only view the permissions for selected folders? not subfolders?
    actually we have shared drives with millions subfolders
    i only want to see the main first few folders permissions e.g x:\department\shareddrive\folders i dont want to run query on subfolders inside folders
    please let me know
    this script is amazing, if i run this script on subfolders i can error for path is too long
    i am happy to get only main root folders permissions
    thanks

  23. Asim Khan says:

    $path = Read-Host “Enter the path you wish to check”
    $filename = Write-Host $path
    $date = Get-Date
    $path >> folderpermissions.csv
    Get-Acl -Path $path | Format-List AccessToString >> folderpermissions.csv

  24. Kevin says:

    I used this script and it was very helpful, it did exactly what I was looking for. Thanks.

  25. RS says:

    Great Script. Exactly what I was looking for as well!!

  26. Rosta says:

    Hello,
    is there a way the script can be edited to show to list of Inheritance folders (True or False) ?

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s