Often I am asked to verify folder permissions for a user in a specific place out on one of our servers. Typically this requires browsing out the folder and putting eyes on the permissions dialog box looking for a group on which the user is a member and then documenting it in the ticket. A very painful long boring process. This is where Powershell comes and saves the day. I wrote a very simple script to bring that information to me. It also gives nice output that I can directly copy into tickets to answer what groups has rights to what shares.
This prompts the user to “Enter a UNC Path” once entered goes and grabs the NTFS permissions as well as the SMB Share permissions
Powershell Code
Write-Host
$path = Read-host “Enter a UNC Path: ”
$pathparts = $path.split("\")
$ComputerName = $pathparts[2]
$ShareName = $pathparts[3]
Write-Host "File Sharing Permissions Report - $path"
Write-Host
$acl = Get-Acl $path
Write-Host "File/NTFS Permissions"
Write-Host
foreach($accessRule in $acl.Access)
{
Write-Host " " $accessRule.IdentityReference $accessRule.FileSystemRights
}
Write-Host
Write-Host "Share/SMB Permissions"
Write-Host
$Share = Get-WmiObject win32_LogicalShareSecuritySetting -Filter "name='$ShareName'" -ComputerName $ComputerName
if($Share){
$obj = @()
$ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
foreach($ACL in $ACLS){
$User = $ACL.Trustee.Name
if(!($user)){$user = $ACL.Trustee.SID}
$Domain = $ACL.Trustee.Domain
switch($ACL.AccessMask)
{
2032127 {$Perm = "Full Control"}
1245631 {$Perm = "Change"}
1179817 {$Perm = "Read"}
}
Write-Host " $Domain\$user $Perm"
}
}
Write-Host
Example Output
.\Get-Permissions-NTFS-SMB.ps1
Enter a UNC Path: : \\filesrv\Working Groups
File Sharing Permissions Report - \\filesrv\Working Groups
File/NTFS Permissions
BUILTIN\Administrators FullControl
DOMAIN\Domain Admins FullControl
DOMAIN\Domain Users ReadAndExecute, Synchronize
DOMAIN\Folder - File Server Admins FullControl
Share/SMB Permissions
DOMAIN\Domain Admins Full Control
DOMAIN\Domain Users Full Control