Powershell - Network share permissions user level
-
hi Team,
I have been tasked with a few things. I have a few scripts but need to merge them, but I have been advised of a better solution, which would be to get a comprehensive report of users and there permissions.
so...
-
Firstly I need a Powershell script to get a Parent folder and its children's permission, who has access, I do not need to see inherited only explicit. this would need to out putted into a CSV for easy reading for our auditors.
-
we do not want to see groups, only users access, if the folder has groups, these will need to be expanded.
hopefully I have explained correctly. thanks again in advance
-
-
Paging @Rob-Dunn and @Martin9700
-
So without writing this myself I was able to find this which might work for what you need.
-
thanks for the link @DustinB3403, I have tried this, but the output was not what the Auditors wanted, hence me reaching out to various teams/forums for assistance. the Code was not able to give me user level, it only provided Groups without expanding the groups.
@DustinB3403 how did you say to add a piece of code?
-
the code I already have is this
$exclude = @( 'CREATOR OWNER' 'NT AUTHORITY\SYSTEM' 'BUILTIN\Administrators' 'HTBPLC\Domain Admins' ) $RootPath = "S:\XYZ\DEPARTMENTS" $folders = [array](Get-Item -Path $RootPath) $folders += Get-ChildItem -Path $RootPath -Recurse -Directory $acls = foreach ($Folder in $Folders){ get-acl $Folder.fullname | Select-Object -ExpandProperty Access | Where-Object { -not $_.IsInherited -and $exclude -notcontains $_.IdentityReference } | Select-Object -Property *,@{ 'Name' = 'Folder' 'Expression' = { $Folder.FullName }} } $acls | Export-Csv -NoTypeInformation -Path C:\NTFS\DEPARTMENTS1.csvI need to implement the group extracting from this piece of code and add it to the above.
Import-Module Activedirectory $credentials = Get-Credential Get-ADUser -Credential $credentials -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled | % { New-Object PSObject -Property @{ UserName = $_.DisplayName EmailAddress = $_.EmailAddress DistinguishedName = $_.DistinguishedName Enabled = $_.Enabled Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";" } } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv c:\temp\User-Permissions1.csv βNTIAny ideas
-
any ideas Team?
Thanks
-
Team,
I have made some head way, but what I need to know is how do I call the function "MyADGroups" in my script. not sure if the below script is correct, but what it needs to do is check who has access to the parent folder and all the children folders only, if its inherited I do not want to know, which the script does :). but if it is a Group it needs to expand the group and show me the users only.
I have done a function but I am not sure if it is correct and it will output the data I need.
$exclude = @( 'CREATOR OWNER' 'NT AUTHORITY\SYSTEM' 'BUILTIN\Administrators' 'HTBPLC\Domain Admins' ) Function Get-MYADGroups($GroupsAD){ Return Get-ADGroupMember -Identity $GroupsAD -Recursive | Where {objectClass -eq "User"} } # Get-ADGroupMember -Identity -Recursive | Get-ADUser -Property DisplayName | Select Name,ObjectClass,DisplayName? $credentials = Get-Credential Get-ADUser -Credential $credentials -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled | % { $RootPath = "\\XYZ.net\users\GP\DEPT\IT\" $folders = [array](Get-Item -Path $RootPath) $folders += Get-ChildItem -Path $RootPath -Recurse -Directory $acls = foreach ($Folder in $Folders){ get-acl $Folder.fullname | Select-Object -ExpandProperty Access | Where-Object { -not $_.IsInherited -and $exclude -notcontains $_.IdentityReference } | Select-Object -Property *,@{ 'Name' = 'Folder' 'Expression' = { $Folder.FullName }} }} $acls | Export-Csv -NoTypeInformation -Path C:\NTFS\DEPARTMENTS1.csv@DustinB3403 @dafyre can you maybe help me out on this one, should be a quick fix, just need to know if I am on the right tracks.
Thanks
