How to detect which users have access to shares on Windows File Servers

The following is a comparison between obtaining a report on permissions the users have on shares in the server with Windows PowerShell and ADManager Plus.

VBScript

Steps to obtain permissions for folders using VBScript:

  • Identify the domain from which you want to retrieve the report.
  • Identify the LDAP attributes you need to fetch the report.
  • Identify the primary DC to retrieve the report.
  • Compile and execute the script.
  • The desired report will be generated.

Sample VBScript:

 Copied
strComputer = "." 
sParentFolder = InputBox("Please Enter folder to
gather information on", "Parent Folder")  SParentFoldern=replace(sParentFolder,"\","")  SParentFoldern=replace(sParentFoldern,":","")  Set fso = CreateObject("Scripting.FileSystemObject")  'File name Same As Folder Name without
special Caracteres   fullfilename=SParentFoldern&".html"  'WScript.echo fullfilename  Set fsOut = fso.OpenTextFile
(fullfilename, ForAppending, True)  On Error Resume Next  fsOut.Writeline ("<html>"&vbCr&"<head>"&vbCr&"<title>File Permission For Folder under &"& SParentFoldern&"</title>"&vbCr&"</head>")  strTableHead = "<table border=2 bordercolor='#000010' width='90%' id='Table1'>"  fsOut.Writeline strTableHead  fsOut.Writeline "<tr><td width='50%'>Folder</td>" & _  "<td width='50%'>User Name</td>"&_  "<td width='50%'>Permission</td></tr>"  strTableFoot = "</table>"  fsOut.Close  ShowSubFolders FSO.GetFolder(sParentFolder),<br>fullfilename  OutputFolderInfo sParentFolder, fullfilename  <br> Set fsOut = fso.OpenTextFile(fullfilename, ForAppending, True)  fsOut.Writeline strTableFoot   fsOut.Close  MsgBox "Done "  WScript.Quit  Public Sub OutputFolderInfo(FolderName , sOutfile)  Const FullAccessMask = 2032127, <br>ModifyAccessMask = 1245631, <br>WriteAccessMask = 1180095  Const ROAccessMask = 1179817  Const ForReading = 1, <br>ForWriting = 2, ForAppending = 8  strComputer = "."  'Build the path to the <br>folder because it requites 2 backslashes  folderpath = Replace(FolderName, "\", "\\")  objectpath = <br>"winmgmts:Win32_LogicalFileSecuritySetting<br>.path='" & folderpath & "'"  'Get the security set for the object  Set wmiFileSecSetting = GetObject(objectpath)  'verify that the get was successful  RetVal = wmiFileSecSetting.GetSecurityDescriptor<br>(wmiSecurityDescriptor)  If Err Then  MsgBox ("GetSecurityDescriptor failed" & <br>vbCrLf & Err.Number & vbCrLf & Err.Description)  Err.Clear  End If  Set objWMIService = GetObject("winmgmts:" & "<br>{impersonationLevel=impersonate}!\\" & _  strComputer & "\root\cimv2")  Set colFolders <br>= objWMIService.ExecQuery<br>("SELECT * FROM Win32_Directory WHERE Name ='" & _  folderpath & "'")  For Each objFolder In colFolders  ' Retrieve the DACL array of Win32_ACE objects.  DACL = wmiSecurityDescriptor.DACL  Set fso = <br>CreateObject("Scripting.FileSystemObject")  Set fsOut = <br>fso.OpenTextFile(sOutfile, ForAppending, True)  For Each wmiAce In DACL  ' Get Win32_Trustee object from ACE  Set Trustee = wmiAce.Trustee  fsOut.Writeline "<tr><td width='50%'>"&objFolder.Name&"</td>" & _  "<td width='50%'>"&Trustee.Domain&"\"&Trustee.Name&"</td>"  <br> 'fsOut.Write objFolder.Name & ",<br>" & Trustee.Domain & "\" & Trustee.Name & ","  FoundAccessMask = False  CustomAccessMask = Flase  While Not FoundAccessMask And<br> Not CustomAccessMask  If wmiAce.AccessMask = FullAccessMask Then  AccessType = "Full Control"  FoundAccessMask = True  End If  If wmiAce.AccessMask = ModifyAccessMask Then  AccessType = "Modify"  FoundAccessMask = True  End If  If wmiAce.AccessMask = WriteAccessMask Then  AccessType = "Read/Write Control"  FoundAccessMask = True  End If  If wmiAce.AccessMask = ROAccessMask Then  AccessType = "Read Only"  FoundAccessMask = True  Else  CustomAccessMask = True  End If  Wend  If FoundAccessMask Then  'fsOut.Writeline AccessType  fsOut.Writeline "<td width='50%'>"&AccessType&"</td></tr>"  Else  fsOut.Writeline "<td width='50%'>Custom</td></tr>"  'fsOut.Writeline "Custom"  End If  Next  Set fsOut = Nothing  Set fso = Nothing  Next  Set fsOut = Nothing  Set fso = Nothing  end Sub  Sub ShowSubFolders (Folder,fname)  On Error Resume Next   For Each Subfolder in Folder.SubFolders  Call OutputFolderInfo(Subfolder.Path,fname)  Wscript.Echo Subfolder.Path  call ShowSubFolders (Subfolder,fname)  Next  End Sub 
Click to copy entire script

ADManager Plus

To obtain the report,

  • Select Permissions for folders from NTFS permissions report.
  • Select domain and OU.
  • Choose the folders in 'Shared Resource path' field and choose the level of folder permissions from the drop down list. Click Generate. 

Screenshot

A screenshot of ADManager Plus with all the folders accessible by a specific user
 

» Start 30-day Free Trial

Following are the limitations to obtain report of permissions the users have on shares in the server using native tools like Windows PowerShell:

  • We should provide the exact ParentFolder name in the script.
  • User running this script should have permission to read folder permissions.
  • For Subfolders, we have to explicitly mention the number of levels for which we need the permissions.
  • With this script, we cannot retrieve the custom permissions available for the accounts.
  • We need to process DACL to get access type(Allow/ Deny) and Applies to fields. 
  • Difficulty in obtaining the report in other formats.

ADManager Plus provides the option to identify the folders, sub-folders and the corresponding permissions by making use of the  Permissions for folders in NTFS Permissions section in AD reports.

Email Download Link