Share permissions and file/folder permissions are 2 different things. You asked about share permissions and that's what the script that you posted looks at.
The share permissions act as a filter to the file/folder permissions. So if the file/folder permissions grant "everyone full", but the share permissions only have "everyone read", then no one will be able to update the files.
So if the share permissions reference Authenticated Users, then an account that is a member of "everyone", but not "authenticated users", then they will not have any access to the files/folders. From what I remember, if you have Guest account disabled, then everyone is effectively authenticated users.
If your auditors still want you to update the NTFS permissions, here is a script that I developed to replace one account with another.
You should test this thoroughly on a test server before you incorporate the code into the script that I first posted.
Do you know enough about Powershell to merge the 2 scripts?
#-------------------------------------------------------------------------------------
# Script: ReplaceAcl.ps1
# Author: Motox80 on Microsoft Technet/Q&A Forums
# Notes : No warranty expressed or implied.
# Use at your own risk.
# Function: Subinacl.exe is no more.
# Ths script replaces one group with another on a given folder structure
# Only directories are analyzed, not individual files.
#--------------------------------------------------------------------------------------
$Path = 'c:\temp\foo1' # The folder to analyze
$LookFor = 'Everyone' # "from" this group Note \\ is required for -match to work
$NewGroup = 'Authenticated Users' # "to" this group Only one \ is needed
$AllDirs = @() # Empty array
$AllDirs += Get-Item -Path $Path # Add the root directory
$AllDirs += Get-Childitem -Directory -Path $Path -recurse # Add in all of the subfolders, use -Depth switch to limit how deep we analyze
# if you have hundreds of subfolders
Foreach ($dir in $AllDirs) {
$dir.fullname # Comment out to reduce output
$acl = get-acl $dir.FullName
$OldAces = $acl.Access # Who has access?
$UpdateAcl = $false # Default to not update
foreach ($OldAce in $OldAces) {
#"Found $($OldAce.IdentityReference) "
if ($OldAce.IsInherited -eq $FALSE) { # There is no need to touch inherited aces
# " Found uninherited ACE: {0} " -f $OldAce.IdentityReference # Uncomment if you want to know what we found
if ($OldAce.IdentityReference -match $LookFor) { # Did we find the guy we're looking for?
#" It's a match."
# Create new rule with the old rights
$ArgList = $NewGroup, $OldAce.fileSystemRights, $OldAce.InheritanceFlags, $OldAce.PropagationFlags, $OldAce.AccessControlType
$NewAce = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $ArgList
# Remove old rule, add in new one
$Acl.SetAccessRule($NewAce)
$Acl.RemoveAccessRule($OldAce) | Out-Null
$UpdateAcl = $true # Set flag to do the update
}
}
}
if ($UpdateAcl) {
" *** Update *** {0}" -f $dir.FullName
Set-Acl $dir.FullName $acl # -WhatIf # Update the permissions, remove -whatif to actually apply them
}
}