________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Function Get-SharePermissions {
<#
.SYNOPSIS
Returns share-permissions.
.DESCRIPTION
Gets all permissions for a share
.PARAMETER ComputerName
Specifies the computer name(s).
Defaults to local machine.
.PARAMETER ShareName
Specifies the share name.
.PARAMETER FailedLog
Specifies the name of the log that contains the names of failed connections.
Defaults to C:\Temp\failed_Get-SharePermissions.txt
.NOTES
Written by FurBall
.EXAMPLE
Get-SharePermissions -computername spbeapp50115 -sharename 'TSMlogfiles$'
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$false,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)][string[]]$computername = $env:computername,
[Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)][string]$sharename,
[Parameter(Mandatory=$False,ValueFromPipeline=$false,ValueFromPipelineByPropertyName=$false)][string]$FailedLog = "C:\Temp\failed_$($MyInvocation.MyCommand)"+".txt"
)
BEGIN {
Remove-Item $FailedLog –erroraction silentlycontinue
}
PROCESS {
Foreach ($computer in $computername) {
$continue = $true
try {
$os = Get-WmiObject –class Win32_OperatingSystem –computername $computer –erroraction Stop
} catch {
$continue = $false
$computer | Out-File $FailedLog
}
if ($continue) {
$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computer
ForEach ($ShareS in ($ShareSec | Where {$_.Name -eq $sharename})){
$SecurityDescriptor = $ShareS.GetSecurityDescriptor()
$myCol = @()
ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL){
Switch ($DACL.AccessMask){
2032127 {$AccessMask = "FullControl"}
1179785 {$AccessMask = "Read"}
1180063 {$AccessMask = "Read, Write"}
1179817 {$AccessMask = "ReadAndExecute"}
-1610612736 {$AccessMask = "ReadAndExecuteExtended"}
1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
1180095 {$AccessMask = "ReadAndExecute, Write"}
268435456 {$AccessMask = "FullControl (Sub Only)"}
default {$AccessMask = $DACL.AccessMask}
}
Switch ($DACL.AceType){
0 {$AceType = "Allow"}
1 {$AceType = "Deny"}
2 {$AceType = "Audit"}
}
$myCol += New-Object PSObject -Property @{
Domain = $DACL.Trustee.Domain
ID = $DACL.Trustee.Name
AccessMask = $AccessMask
AceType = $AceType
}
Clear-Variable AccessMask -ErrorAction SilentlyContinue
Clear-Variable AceType -ErrorAction SilentlyContinue
}
}
Return $myCol
}
}
}
}
function Get-Shares{
<#
.SYNOPSIS
Returns shares.
.DESCRIPTION
Gets all shares from a computer
.PARAMETER ComputerName
Specifies the computer name.
Defaults to local machine.
.EXAMPLE
Get-Shares -computername spbeapp50115
#>
param([string]$ComputerName = $env:computername)
$Shares = Get-WmiObject -Class Win32_Share -ComputerName $ComputerName
$output = @()
foreach ($Share in $Shares){
$fullpath = "\\{0}\{1}" -f $ComputerName, $share.name
Add-Member -MemberType NoteProperty -InputObject $Share -Name FullPath -Value $fullpath
$output += $Share
}
Return $output
}
function Get-PermissionsPerShare{
<#
.SYNOPSIS
Returns shares and permissions.
.DESCRIPTION
Gets all shares from a computer (or list of computers) with authorized ID's and access masks
.PARAMETER ComputerName
Specifies the computer name(s).
Defaults to local machine.
.NOTES
Written by FurBall
.EXAMPLE
Get-PermissionsPerShare -computername spbeapp50115
.EXAMPLE
$Servers = @("server1", "server2")
Get-PermissionsPerShare -computername $Servers | Format-Table
.EXAMPLE
Get-Content c:\temp\servers.txt | Get-PermissionsPerShare | Export-CSV MyResults.csv -NoTypeInformation -UseCulture
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$False,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)][string[]]$computername = $env:computername
)
process {
foreach ($computer in $computername) {
Get-Shares $computer | ForEach {
$ShareName = $_.name
Get-SharePermissions -ComputerName $computer -ShareName $ShareName | foreach {
#New-Object will automatically be spewed to the pipeline, so no need for Write-Output
New-Object PSObject -Property @{
Computer = $computer
Share = $ShareName
ID = $_.ID
AccessMask = $_.AccessMask
AceType = $_.AceType
}
}
}
}
}
}
function Get-NtfsPermissionsPerShare{
<#
.SYNOPSIS
Returns shares and NTFS-permissions.
.DESCRIPTION
Gets all shares from a computer (or list of computers) with authorized ID's and access masks
.PARAMETER ComputerName
Specifies the computer name(s).
Defaults to local machine.
.NOTES
Written by FurBall
.EXAMPLE
Get-NtfsPermissionsPerShare -computername spbeapp50115
.EXAMPLE
$Servers = @("server1", "server2")
Get-NtfsPermissionsPerShare -computername $Servers | Format-Table
.EXAMPLE
Get-Content c:\temp\servers.txt | Get-NtfsPermissionsPerShare | Export-CSV MyResults.csv -NoTypeInformation -UseCulture
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$False,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)][string[]]$computername = $env:computername
)
process {
foreach ($computer in $computername) {
Get-Shares $computer | ForEach-Object{
if ($_.path){
$ShareName = $_.name
$path = $_.path
$remotepath = "\\$computer\$path" -replace ":", '$'
get-acl -path $remotepath | ForEach-Object{
$_.Access | ForEach-Object{
$IDref = ($_.IdentityReference).tostring()
New-Object PSObject -Property @{
Computer = $computer
Share = $ShareName
"Path" = $path
FileSystemRights = $($_.FileSystemRights)
AccessControlType = $($_.AccessControlType)
IdentityReference = $IDref
IsInherited = $($_.IsInherited)
InheritanceFlags = $($_.InheritanceFlags)
PropagationFlags = $($_.PropagationFlags)
}
}
}
}
}
}
}
}
Export-ModuleMember -function Get-SharePermissions, Get-Shares, Get-PermissionsPerShare, Get-NtfsPermissionsPerShare
