Often I am asked to verify folder permissions for a user in a specific place out on one of our servers. Typically this requires browsing out the folder and putting eyes on the permissions dialog box looking for a group on which the user is a member and then documenting it in the ticket. A very painful long boring process. This is where Powershell comes and saves the day. I wrote a very simple script to bring that information to me. It also gives nice output that I can directly copy into tickets to answer what groups has rights to what shares.
This prompts the user to “Enter a UNC Path” once entered goes and grabs the NTFS permissions as well as the SMB Share permissions
Powershell Code
Write-Host
$path = Read-host “Enter a UNC Path: ”
$pathparts = $path.split("\")
$ComputerName = $pathparts[2]
$ShareName = $pathparts[3]
Write-Host "File Sharing Permissions Report - $path"
Write-Host
$acl = Get-Acl $path
Write-Host "File/NTFS Permissions"
Write-Host
foreach($accessRule in $acl.Access)
{
Write-Host " " $accessRule.IdentityReference $accessRule.FileSystemRights
}
Write-Host
Write-Host "Share/SMB Permissions"
Write-Host
$Share = Get-WmiObject win32_LogicalShareSecuritySetting -Filter "name='$ShareName'" -ComputerName $ComputerName
if($Share){
$obj = @()
$ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
foreach($ACL in $ACLS){
$User = $ACL.Trustee.Name
if(!($user)){$user = $ACL.Trustee.SID}
$Domain = $ACL.Trustee.Domain
switch($ACL.AccessMask)
{
2032127 {$Perm = "Full Control"}
1245631 {$Perm = "Change"}
1179817 {$Perm = "Read"}
}
Write-Host " $Domain\$user $Perm"
}
}
Write-Host
Example Output
.\Get-Permissions-NTFS-SMB.ps1
Enter a UNC Path: : \\filesrv\Working Groups
File Sharing Permissions Report - \\filesrv\Working Groups
File/NTFS Permissions
BUILTIN\Administrators FullControl
DOMAIN\Domain Admins FullControl
DOMAIN\Domain Users ReadAndExecute, Synchronize
DOMAIN\Folder - File Server Admins FullControl
Share/SMB Permissions
DOMAIN\Domain Admins Full Control
DOMAIN\Domain Users Full Control
Thanks for the script. It worked perfectly.
wow… you save my days
its amazing script
can i see permissions for subfolders?
Wayne, this is a great script and it works perfectly. I changed the script slightly for my use. I have a list of all UNC paths so I added import-csv and a foreach-object to get the permissions of all paths in list :).
The script is good and working fine also. My problem is I have many folders in my file server and its difficult for me to run this script for every folder, If you can modified your script in a way which find all the share folder details with share permission from File server then its great help.
How could you convert this to write the output to a text file? I would love to have this run on the servers automatically and email me the output.
Clarification on the previous comment, if you had the path hard coded in or read into the script as a variable. (basically line 8 and down)
I prompt the user for input of the path on Line 3 with the read-host command
The easiest way I can think of is to replace the write-host commands with a variable.. that will save the output and allow you to add it as contents of an email.
You could rerun the script and type in the sub-folder you are interested in. Feel free to take the code and modify it as you wish.
Not a bad idea. I’ll think about it.
Hey Wayne, I’m Using your script and im very happy with this! but i’m trying to find out how i can make this to look up for servers instead of shared resources. i did what you wrote about adding that line, but that its manually the thing is that i need to make it automated! i’m getting in to this right now i’m new! so i really appreciated where i cand find any information more, for be able to improve your script! thanks!
Hi Wayne,
Thanks for sharing such an useful script. I am trying to run the script, but I am not getting Share/SMB Permissions. Its showing blank. What could be the reason?
Other permissions:
1048576 {$Perm = “Synchronize”}
524288 {$Perm = “TakeOwnership”}
262144 {$Perm = “ChangePermissions”}
197055 {$Perm = “Modify”}
131241 {$Perm = “ReadAndExecute”}
131209 {$Perm = “Read”}
131072 {$Perm = “ReadPermissions”}
65536 {$Perm = “Delete”}
278 {$Perm = “Write”}
256 {$Perm = “WriteAttributes”}
128 {$Perm = “ReadAttributes”}
64 {$Perm = “DeleteSubdirectoriesAndFiles”}
32 {$Perm = “ExecuteFile”}
16 {$Perm = “WriteExtendedAttributes”}
8 {$Perm = “ReadExtendedAttributes”}
4 {$Perm = “AppendData”}
2 {$Perm = “CreateFiles”}
1 {$Perm = “ReadData”}