Discovering Share Permissions(ACL) on Windows Servers using PowerShell
Introduction: Managing permissions on shared folders is a crucial aspect of maintaining data security and accessibility within an organization’s network infrastructure. Windows servers offer various tools and methods to inspect and manage share permissions effectively. In this tutorial, we’ll explore how to use PowerShell scripting to enumerate share permissions on Windows servers. By leveraging PowerShell, administrators can efficiently gather information about share permissions across multiple servers, facilitating better management and auditing practices.
Script Overview: The PowerShell script provided below automates the process of discovering share permissions on a specified Windows server. Let’s break down its functionality:
#Import WMI Cmdlets (for broader compatibility)
#Import-Module Wmi
#Define the output file path
$outputFile = “C:\temp\SharePermissions_$(Get-Date -f yyyyMMdd).csv”
#Function to check if server is reachable
function Test-ServerConnection {
param(
[string]$serverName
)
try {
Test-Connection -ComputerName $serverName -Quiet
return $true
} catch {
Write-Error “Error connecting to server: $serverName”
return $false
}
}
#Prompt for server name
$serverName = Read-Host “Enter server name:”
#Check server connectivity
if (!(Test-ServerConnection -serverName $serverName)) {
exit
}
#Enumerate shares using WMI
$shares = @()
try {
$shares = Get-WmiObject -Class Win32_Share -Filter “Type = 0” -ComputerName $serverName
} catch {
Write-Error “Error retrieving shares from $serverName. Ensure share browsing is enabled.”
}
#Function to process a share and its ACL
function Get-ShareAcl {
param(
[string]$shareName
)
# Get share path
$sharePath = “\$serverName\$shareName”
# Get ACL
try {
$acl = Get-Acl -Path $sharePath
} catch {
Write-Warning “Failed to retrieve ACL for share: $shareName”
return $null
}
# Process each access entry
$permissions = $acl.Access | ForEach-Object {
[PSCustomObject]@{
“ShareName” = $shareName
“IdentityReference” = $_.IdentityReference
“FileSystemRights” = [System.Enum]::Parse(“System.Security.AccessControl.FileSystemRights”, $_.FileSystemRights) -replace ” “, “”
“IsInherited” = $_.IsInherited
}
}
# Return permissions objects
return $permissions
}
#Process each share
$sharePermissions = @()
if ($shares) {
foreach ($share in $shares) {
$permissions = Get-ShareAcl $share.Name
if ($permissions) {
$sharePermissions += $permissions
}}}
#Export results to CSV
if ($sharePermissions) {
$sharePermissions | Export-Csv -Path $outputFile -NoTypeInformation
Write-Host “Share permissions exported to: $outputFile”
} else {
Write-Warning “No shares found or failed to retrieve ACLs on server: $serverName”
}
Description:
- Import WMI Cmdlets: This line is commented out as the script utilizes PowerShell’s built-in cmdlets for simplicity and broader compatibility.
- Output File Path: Specifies the path where the script will save the output CSV file containing share permissions. The filename includes the current date for better organization.
- Test-ServerConnection Function: Defines a function to check if the specified server is reachable via Test-Connection cmdlet.
- Prompt for Server Name: Prompts the user to input the name of the server they want to query.
- Enumerate Shares: Utilizes Get-WmiObject to retrieve a list of shared folders from the specified server.
- Get-ShareAcl Function: Retrieves the Access Control List (ACL) for each share and processes the permissions.
- Process Each Share: Iterates through each share, retrieves its ACL, and adds the permissions to an array.
- Export Results to CSV: Exports the collected share permissions to a CSV file at the specified output path.
Conclusion: By executing this PowerShell script, administrators can efficiently gather information about share permissions on Windows servers, facilitating effective management and auditing practices. Regularly reviewing and analyzing share permissions is essential for ensuring data security and compliance within an organization’s network infrastructure. With PowerShell’s automation capabilities, administrators can streamline these tasks and maintain a secure and well-managed server environment.