I have been working on security project recently. One of the tasks covers checking file share permissions on older systems.
function Get-ShareAccessPermissions{
<#
.SYNOPSIS
Gets share sccess permissions.
.DESCRIPTION
Gets share sccess permissions.
The tool is designed for older Windows systems as the new ones have a dedicated Get-SmbShareAccess Cmdlet
.EXAMPLE
PS C:\TMP> Get-ShareAccessPermissions
MachineName Share Path Domain ID Permission ACEType
----------- ----- ---- ------ -- ---------- -------
P1 print$ C:\Windows\system32\spool\drivers Everyone Read Allow
P1 print$ C:\Windows\system32\spool\drivers BUILTIN Administrators FullControl Allow
P1 tmp C:\tmp P1 Admin FullControl Allow
P1 tmp C:\tmp NT AUTHORITY Authenticated Users Change Allow
P1 tmp C:\tmp Everyone Read Allow
#>
[CmdLetBinding()]
Param(
[string[]]$ComputerName= $env:COMPUTERNAME
)
BEGIN{}
Process{
ForEach($Comp in $ComputerName){
$Info = Invoke-Command -ComputerName $Comp -EA 0 -ScriptBlock {
$ShareSec = Get-WmiObject Win32_LogicalShareSecuritySetting
ForEach ($ShareSecurity in ($ShareSec)) {
$Path = Get-WmiObject win32_share -filter "name='$($ShareSecurity.name)'"
ForEach ($DACL in $ShareSecurity.GetSecurityDescriptor().Descriptor.DACL) {
[PSCustomObject]@{
MachineName = $ShareSecurity.PSComputerName
Share = $ShareSecurity.Name
Path = $Path.Path
Domain = $DACL.Trustee.Domain
ID = $DACL.Trustee.Name
Permission = switch ( $DACL.AccessMask ) { 1179817{ "Read" }; 1245631{ "Change" }; 2032127{"FullControl"}}
ACEType = switch ( $DACL.AceType ) { 0{ "Allow" }; 1{ "Deny" }}
}
}
}
} | Select-Object MachineName, Share, Path, Domain, ID, Permission, ACEType
IF($Info){$Info}ELSE{
$ShareSec = Get-WmiObject Win32_LogicalShareSecuritySetting -Computername $Comp
ForEach ($ShareSecurity in ($ShareSec)) {
$Path = Get-WmiObject win32_share -filter "name='$($ShareSecurity.name)'"
ForEach ($DACL in $ShareSecurity.GetSecurityDescriptor().Descriptor.DACL) {
[PSCustomObject]@{
MachineName = $ShareSecurity.PSComputerName
Share = $ShareSecurity.Name
Path = $Path.Path
Domain = $DACL.Trustee.Domain
ID = $DACL.Trustee.Name
Permission = switch ( $DACL.AccessMask ) { 1179817{ "Read" }; 1245631{ "Change" }; 2032127{"FullControl"}}
ACEType = switch ( $DACL.AceType ) { 0{ "Allow" }; 1{ "Deny" }}
}
}
}
}
}
}
END{}
}