Share Permissions request

RumbleBee · 23 Jun 2010 at 12:30

Hi,

Is there an application/Utility that will allow me to print or display an overview of share permissions on a server. Or is there something simple I can view on the server itself.

I'd like to produce a report of what shares are current in preparation for the upgrade to a new server.

SiriusB · 23 Jun 2010 at 13:03

Scratch that, I actually read the OP this time!

EDIT: Which permissions do you need? The permissions set under Sharing, or actual NTFS permissions?

RumbleBee · 23 Jun 2010 at 14:01

I believe this is for Share's rather than NTFS. Basically the server in question is going be replaced and the current file structure is going to be allocated to another server. Probably an exisiting server with some free space.

SiriusB · 23 Jun 2010 at 16:26

OK using Powershell. Copy the code below into a file and save it as get-sharepermissions.ps1

Then run Powershell as an Administrator.

Run:

Code:

Set-ExecutionPolicy RemoteSigned

note: this allows locally created scripts to run in PowerShell but nothing you download

Now run the script:

Code:

C:\path\to\get-sharepermissions.ps1

Obviously adjusting the path to suit.

Server 2008 R2 and Windows 7 both come with Powershell installed. Server 2008/2003/XP/Vista can get Powershell by installing: http://support.microsoft.com/kb/968929

get-sharepermissions.ps1

Code:

function Get-MySharePermissions
{
	param([string]$computername,[string]$sharename)
	$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computername
	ForEach ($ShareS in ($ShareSec | Where {$_.Name -eq $sharename}))
	{
		$SecurityDescriptor = $ShareS.GetSecurityDescriptor()
		$myCol = @()
		ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
		{
			$myObj = "" | Select Domain, ID, AccessMask, AceType
			$myObj.Domain = $DACL.Trustee.Domain
			$myObj.ID = $DACL.Trustee.Name
			Switch ($DACL.AccessMask)
			{
				2032127 {$AccessMask = "FullControl"}
				1179785 {$AccessMask = "Read"}
				1180063 {$AccessMask = "Read, Write"}
				1179817 {$AccessMask = "ReadAndExecute"}
				-1610612736 {$AccessMask = "ReadAndExecuteExtended"}
				1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
				1180095 {$AccessMask = "ReadAndExecute, Write"}
				268435456 {$AccessMask = "FullControl (Sub Only)"}
				default {$AccessMask = $DACL.AccessMask}
			}
			$myObj.AccessMask = $AccessMask
			Switch ($DACL.AceType)
			{
				0 {$AceType = "Allow"}
				1 {$AceType = "Deny"}
				2 {$AceType = "Audit"}
			}
			$myObj.AceType = $AceType
			Clear-Variable AccessMask -ErrorAction SilentlyContinue
			Clear-Variable AceType -ErrorAction SilentlyContinue
			$myCol += $myObj
		}
	}
	Return $myCol
}

$shares = gwmi win32_share

foreach($share in $shares)
{
    $share | Format-Table Name, Path -AutoSize
    Get-MySharePermissions . $share.Name | Format-Table Domain, ID, AccessMask, AceType -AutoSize
    Write-Host "==============================================="
}

Credit:
The code in the function isn't mine - borrowed from here: http://www.peetersonline.nl/index.php/powershell/listing-share-permissions-for-remote-shares/ and tweaked for OPs needs.