powershell auditing permissions

Posted on by michael

Auditing permissions on a Windows server is basically hellish unless you have a very strict policy on subfolder explicit permissions and group usage. You can use tools like CACLS.exe and XCACLS.exe, but for messy folder shares, the output can be utterly unmanageable. Enter a powershell script I wrote. This script take a path as an argument and will dump out all explicit (non-inherited) permissions from the path and all subfolders inside it. Never make the mistake of re-pushing inheritance down on subfolders and wiping out all those restrictions again!

$error.clear()
$erroractionpreference = "SilentlyContinue"
function GetExplicits ($folders)
{
foreach ($i in $folders)
{
$acllist = get-acl $i.fullname
foreach ($x in $acllist.Access)
{
If ($x.IsInherited -eq $false)
{
Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
$spacing = $true
}
}
If ($spacing){ Write-Host "";$spacing=$null }
}
}
If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path, try again, cowboy!";break }
Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist
Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

The output looks like this:

----------------------------------
ROOT FOLDER EXPLICITS
Everyone has Modify, Synchronize on \\fileserver\users\scanner
CREATOR OWNER has Modify, Synchronize on \\fileserver\users\scanner
BUILTIN\Administrators has Modify, Synchronize on \\fileserver\users\scanner
MYDOMAIN\Domain Users has Modify, Synchronize on \\fileserver\users\scanner
----------------------------------
SUBFOLDER EXPLICITS
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\FarmBanc
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp\April Visit