Share via

PowerShell: How to Detect Users Who Have Direct Permissions on Your File Servers

  • Article

Why It is Important

Best practices recommend assigning permissions through group membership rather than directly. This approach helps you ensure that users have only the file server permissions they need to do their jobs, and thereby minimize the risk of exfiltration of sensitive data from your file servers. By determining how permissions are assigned to any user and identifying users with directly - granted Windows file server permissions, you can quickly remove inappropriate access and thereby strengthen your IT system and data security. 

Native Auditing

1. Open PowerShell ISE on your file server.

2. Type in the following PowerShell script:

$search_folder = "\\share\path\"
$out_file = "C:\temp\directpermissionsexport.csv"
$out_error = "C:\temp\errors.csv"
 
$items = Get-ChildItem -Path $search_folder -recurse
 
$found = @()
$errors = @()
 
ForEach ($item in $items) {
 
  try {
    $acl = Get-Acl $item.fullname
 
    ForEach ($entry in $acl.access) {
      If (!$entry.IsInherited) {
        $found += New-Object -TypeName PSObject -Property @{
          Folder = $item.fullname
          Access = $entry.FileSystemRights
          Control = $entry.AccessControlType
          User = $entry.IdentityReference
          Inheritance = $entry.IsInherited
 
        }
      }
    }
  } catch {
 
    $errors += New-Object -TypeName PSObject -Property @{
      Item = $item.fullname
      Error = $_.exception
    }
 
  }
}
 
$found |
Select-Object -Property Folder,User,Control,Access,Inheritance |
Export-Csv -NoTypeInformation -Path $out_file
 
$errors |
Export-Csv -NoTypeInformation -Path $out_err

3. Specify the following parameters:

  • $search_folder: enter a path to a shared folder you want to inspect for direct permissions
  • $out_file: enter a path to a file with results
  • $out_error: enter a path to an error log file.

4. Run the script.

5. Open a generated .csv file produced by the script in Microsoft Excel. After that, you will see what users have direct permissions to files and folders in the specified file share.

6. Report example:

https://img.netwrix.com/landings/howtofriday/33/native.png

Credits

Originally posted - https://www.netwrix.com/how_to_detect_who_has_direct_permissions_to_your_file_shares.html