List NTFS and SMB permissions from multiple remote servers


I have a requirement to list all the NTFS and SMB permissions from multiple remote servers, but I found a script to get the list on one server using the UNC path, instead of them can anyone of you help me to list the NTFS and SMB permissions along with the Share path for multiple servers.

Code which I found on the Git
Returns NTFS and Share permissions for a provided UNC Path
Returns NTFS and Share permissions for a provided UNC Path
This script/function can be used to report on Share and NTFS permissions for the provided UNC path, multiple UNC paths, or a list of UNC paths.
It requires the proper access to enumerate the shares and read all of the ACL information (typically administrative permissions are required on the remote system hosting the path)
It uses WMI to gather share information, so SMB shares hosted on NON-windows systems will return an error.
Valid UNC Path
PS C:> .\Get-ShareACL.ps1 -UNCPath \\testshare | Format-Table -AutoSize
PS C:> .\Get-ShareACL.ps1 -UNCPath \\testshare,\\share1$ | Out-Gridview
PS C:> .\Get-ShareACL.ps1 -UNCPath (Get-Content C:\UNCPathList.txt) | Export-Csv C:\ACLAudit.csv -NoTypeInformation -Force
20141017 K. Kirkpatrick [+] Created

    Twitter:  @vScripter
 All script are provided as-is with no implicit
 warranty or support. It's always considered a best practice
 to test scripts in a DEV/TEST environment, before running them
 in production. In other words, I will not be held accountable
 if one of my scripts is responsible for an RGE (Resume Generating Event).
 If you have questions or issues, please reach out/report them on
 my GitHub page. Thanks for your support!

param (
    [parameter(Mandatory = $true, Position = 0)]
    [validatescript({ Test-Path $_ -PathType Container })]

    $Results = @()
$ExportPath = "C:\Users\a-lchandrakanthredd\Desktop\Test"

    $ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop

    function Get-SMBACL
        foreach ($Path in $UNCPath)
                $colNTFS = @()
                $colSMB = @()

                $pathparts = $path.split("\")
                $ComputerName = $pathparts[2]
                $ShareName = $pathparts[3]

                Write-Verbose -Message "Gathering NTFS Permissions..."

                $acl = Get-Acl $path

                foreach ($accessRule in $acl.Access)
                    $objNTFSAcl = [PSCustomObject] @{
                        ComputerName = $ComputerName
                        ACLType = "NTFS"
                        ShareName = $ShareName
                        Account = $accessRule.IdentityReference
                        Permission = $accessRule.FileSystemRights


                }# foreach

                Write-Verbose -Message "Gathering SMB/Share Permissions..."

                $Share = Get-WmiObject win32_LogicalShareSecuritySetting -Filter "name='$ShareName'" -ComputerName $ComputerName

                if ($Share)
                    $ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
                    foreach ($ACL in $ACLS)
                        $User = $ACL.Trustee.Name
                        if (!($user)) { $user = $ACL.Trustee.SID }
                        $Domain = $ACL.Trustee.Domain
                        switch ($ACL.AccessMask)
                            2032127 { $Perm = "Full Control" }
                            1245631 { $Perm = "Change" }
                            1179817 { $Perm = "Read" }
                        }# switch

                        $ntUser = "$Domain\$user"

                        $objSMB = [PSCustomObject] @{
                            ComputerName = $ComputerName
                            ACLType = "SMB"
                            Account = $ntUser
                            Permission = $Perm


                    }# foreach
                }# if
            } catch
                Write-Warning -Message "Error getting info from $Path"

            }# try/catch
        }# foreach

        Write-Verbose -Message "Gathering Results..."
    }# function Get-SMBACL



    Get-SMBACL | Export-Csv -Path $ExportPath\SMBAccess.csv -NoTypeInformation


    # Clean up work goes here

}# END
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,627 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. MotoX80 23,651 Reputation points

    You already have the SMB share functionality in the first question that you asked.

    That script does an Invoke-Command on multiple servers. Add a foreach if you want to process them one by one. Don't use the WMI calls from the above script, use the Get-SmbShareAccess cmdlet's that I posted in my reply.

    Start by getting a report on the share permissions first. Then after you understand how my script works, you can add that code to report on NTFS folder permissions.

    I would caution you about reporting on the permissions on ALL folders. You could have thousands of entries if you have a large file server. I would recommend that you only report on uninherited ACL's.

    No comments