Script recommendation - Get-ACL recursively
Mike Leone
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
Bill Zielinski
You could try AccessEnum from SysInternals
https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum
By exporting into Excel and using filters you could probably get what you want.
--
This space reserved for future witticisms ...
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://link.zixcentral.com/u/cad60191/il7_jcm76hGpFG7zh3soMg?u=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fntsysadmin%2FCAHBr%252B%252BjesT3RcGZdtp%253D1OCb7RNWjr1K%252BFm3sGMytAZouUNsfHg%2540mail.gmail.com.
Links in this email have been replaced by ZixProtect Link Protection for added security.
The information contained in this email is confidential and is intended solely for the use of the person identified and intended as the recipient. If you are not the intended recipient, any disclosure, copying, distribution, or taking of any action in reliance on the contents is prohibited. If you receive this message in error, contact the sender immediately and delete it from your computer. Personal e-mails are restricted by DCECU policy. As such, DCECU specifically disclaims any responsibility or liability for any personal information or opinions of the author expressed in this email. Dow Chemical Employees' Credit Union
Mike Leone
You could try AccessEnum from SysInternals
https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum
Michael B. Smith
You can shortcut a great deal of that effort by using Get-SmbShare which lists all the file shares on a computer and the DACL that applies to it.
You convert DACLs to readable strings using ConvertFrom-Sddl.
Get-SmbShare works on remote systems using CimSession, if you have remote management enabled. If not, you can use “net share” on downlevel computers.
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, July 1, 2020 2:35 PM
To: NTSysAdmin <ntsys...@googlegroups.com>; NTPowershell Mailing List <ntpowe...@googlegroups.com>
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjesT3RcGZdtp%3D1OCb7RNWjr1K%2BFm3sGMytAZouUNsfHg%40mail.gmail.com.
Mike Leone
You can shortcut a great deal of that effort by using Get-SmbShare which lists all the file shares on a computer and the DACL that applies to it.
You convert DACLs to readable strings using ConvertFrom-Sddl.
Get-SmbShare works on remote systems using CimSession, if you have remote management enabled. If not, you can use “net share” on downlevel computers.
ConvertFrom-SddlString : Exception calling ".ctor" with "3" argument(s): "The SDDL form of a security descriptor
object is invalid.
Parameter name: sddlForm"
At line:1 char:76
+ ... Share" | Select -Property SecurityDescriptor | ConvertFrom-SddlString
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [ConvertFrom-SddlString], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException,ConvertFrom-SddlString
--
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Wednesday, July 1, 2020 2:35 PM
To: NTSysAdmin <ntsys...@googlegroups.com>; NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Script recommendation - Get-ACL recursively
My boss asked me "Can you list all possible network drives that specific personnel have including their individual accounts?". (yeah, I know).
The best that I can come up with (outside of purchasing a commercial auditing program, which won't be happening) is to recursively walk down a shared folder structure on a file server; pull out the share and NTFS permissions; expand all the AD groups to get the list of users. Lather, rinse, repeat.
That would be because I can see in AD that user "Joe" is a member of "ShareA_RWXD". And I know where "ShareA" is. But the problem comes when "Joe" is explicitly added to the NTFS permissions of share as a user account, rather than just groups. So Joe's access is "ShareA" (easy enough gotten from Ad group membership), but also "ShareB", where he is listed explicitly, and where that sub-folder of a share doesn't inherit from above.
Far from ideal, but I have to do something, so I need to make a start. And I'd rather not invent all the wheels. Anyone know of a script that does at least something like this, that I can modify and start to get some info? I can do searches in the Gallery for Get-ACl, but if someone knows of one, that can save me time.
Thanks
--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjesT3RcGZdtp%3D1OCb7RNWjr1K%2BFm3sGMytAZouUNsfHg%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/4ec109ef5d614761b5b928f30ea2bed2%40smithcons.com.
Henry Awad
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bjn_b04320J%2BWbMZ65YbqbxJgg8Es8JNx8rDCu1R83q9w%40mail.gmail.com.
Henry Awad
Michael B. Smith
The doc is wrong, you can’t pipe to ConvertFrom-Sddl.
$a = get-smbshare -Name "TestMDT_Share"
ConvertFrom-SddlString -sddl $a.SecurityDescriptor
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bjn_b04320J%2BWbMZ65YbqbxJgg8Es8JNx8rDCu1R83q9w%40mail.gmail.com.
Robert ECEO Townley
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK5J7k%2B6pr7Wg2zipsTbi4hJK92qbLoTp_cJf2d%3DTKiXTg%40mail.gmail.com.
Orlebeck, Geoffrey
These two threads have some interesting ways of grabbing permissions across shares/systems
https://www.reddit.com/r/PowerShell/comments/gq74ge/get_folders_with_getacl_where_folders_have/
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Robert ECEO Townley
Sent: Wednesday, July 1, 2020 1:37 PM
To: ntsys...@googlegroups.com
Cc: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: Re: [ntsysadmin] Re: [ntpowershell] Script recommendation - Get-ACL recursively
|
ATTENTION: This email came from an external sender. If you don't recognize the source and it has unexpected or suspicious links or attachments, click the "Report Email" button (above) or send to: cyberalert @ chomp.org. |
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CACE8FwmoPa0XErgxSoL_5MZu9fkaDr0-JPrORuNevc2Cve2rdw%40mail.gmail.com.
Mike Leone
Try one of these tools:I have used Netwrix (paid version) in the past and they provide a very nice readable format report. I honestly haven't used the free version so not sure how different the report would be.
Mike Leone
The doc is wrong, you can’t pipe to ConvertFrom-Sddl.
$a = get-smbshare -Name "TestMDT_Share"
ConvertFrom-SddlString -sddl $a.SecurityDescriptor
PS C:\Windows\system32> ($SDDL | ConvertFrom-SddlString -Type FileSystemRights| Select-Object -ExpandProperty Discretion
aryAcl) -split ":"
Everyone
AccessAllowed (GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, Traverse)
NT AUTHORITY\Authenticated Users
AccessAllowed (GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, Traverse)
NT AUTHORITY\SYSTEM
AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
BUILTIN\Administrators
AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
<DOMAIN\UserA>
AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
Michael B. Smith
If you don’t select only DiscretionaryAcl, you get all the other information that the cmdlet can output.
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
ControlFlags : DiscretionaryAclPresent, SelfRelative
DiscretionaryAcl : {NT AUTHORITY\INTERACTIVE: Allow (GenericAll), BUILTIN\Administrators: Allow (GenericAll),
BUILTIN\Backup Operators: Allow (GenericAll)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
The list of FullControls means that there are ExtendedAttributes in the DACL that the ConvertFrom-Sddl cmdlet doesn’t know how to interpret. You can ignore it. If you want the exact detail, use icacls.exe. It properly displays all the extended attributes. But you can’t easily control the output format.
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Thursday, July 2, 2020 12:01 PM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bi8DVwvosfDgFxHzHsq%3DeOWk3saZviuh9iOmeAn2A9YjA%40mail.gmail.com.
Melvin Backus
If you still have or can dig up a copy of rmtshare that might be helpful. I still have a script that runs daily to dump the share permissions for all our file servers. It makes it really easy to scan for any non-group entries. Fortunately I’m pretty much the only one who sets up access or shares in our group so even when we’ve got a one-off situation it becomes a group, because there invariably winds up being someone else to add later down the road.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgE6DVgRqW8EcAGnSOY1to9Gt4J6jNZZo%2BZp-BR9X5sUw%40mail.gmail.com.