Using Powershell to Audit Share Permissions

Today I was asked to help audit permissions on shares of a client. This can take a long time to do it manually so I did it using Powershell. I have changed the name of the groups.

Getting permissions of the shares

Start by using the Get-WMIObject cmdlet. We are going to pass in the Win32_Share class to get a list of all of the shares on the server. We are piping them to the Where-Object cmdlet using the “|”. The word where is an alias for the Where-Object cmdlet. Powershell understands this word and translates it to the cmdlet. The Where-Object cmdlet is used to filter your results. First it will take the share and place it in to the $_ variable. Then it checks to see if the name property matches managers. If the match is a success then it will output the result. If it fails it moves on to the next word to check. Once it validates all of the words it moves on to the next share. You will end up with the variable $shares containing only the shares that match the word. I am then using the $output variable to store the path to the files we will create.

$shares = get-wmiobject win32_share | where {$_.name -match "managers" -or $_.name -match "accounting" -or $_.name -match "reports" -or $_.name -match "administration" -or $_.name -match "public"} 
$output = 'c:\temp'

We will now loop through each share placing the current one into the $share variable. Next we will get the permissions on the share and place them into $acls. Then we will loop through each of the permissions and output them to a CSV file named after the share. Make sure that you use Append or you will get output with one line.

foreach ($share in $shares){
    $name = $share.Name
    $acls = (Get-Acl -Path $share.Path).access
    foreach ($acl in $acls){
        $acl | export-csv -Path "$output\$name.csv" -NoTypeInformation -Append
    }
}

Getting users in the groups

This script was executed on their domain controller. I could have done Powershell remoting but I already had their DC up. Get all of the groups using the Get-ADGroup cmdlet and then filter them using the Where-Object cmdlet. Loop through each group using a foreach statement. Get each member of each group and export them to a CSV file named after the group.

$groups = get-adgroup | where {$_.name -match 'accounting' -or $_.name -match 'manager' -or $_.name -match 'administration' -or $_.name -match 'development'}
$output = 'c:\temp'

foreach ($group in $groups){
    $name = $group.Name
    $members = $group | Get-ADGroupMember
    foreach ($member in $members){
        $member | export-csv -path "$output\Group-$name.csv" -NoTypeInformation -append
    }
}

Here is the full code, enjoy!!!....

$shares = get-wmiobject win32_share | where {$_.name -match "managers" -or $_.name -match "accounting" -or $_.name -match "reports" -or $_.name -match "administration" -or $_.name -match "public"} 
$output = 'c:\temp'
foreach ($share in $shares){
    $name = $share.Name
    $acls = (Get-Acl -Path $share.Path).access
    foreach ($acl in $acls){
        $acl | export-csv -Path "$output\$name.csv" -NoTypeInformation -Append
    }
}

$groups = get-adgroup | where {$_.name -match 'accounting' -or $_.name -match 'manager' -or $_.name -match 'administration' -or $_.name -match 'development'}
$output = 'c:\temp'

foreach ($group in $groups){
    $name = $group.Name
    $members = $group | Get-ADGroupMember
    foreach ($member in $members){
        $member | export-csv -path "$output\Group-$name.csv" -NoTypeInformation -append
    }
}

Leave a Reply

Your email address will not be published.