How to detect folders over which the specified accounts have permissions

The following is a comparison between obtaining a report on folders accessible by accounts with Windows PowerShell and ADManager Plus.

VBScript

Steps to obtain folders accessible by accounts using VBScript:

  • Identify the domain from which you want to retrieve the report.
  • Identify the LDAP attributes you need to fetch the report.
  • Identify the primary DC to retrieve the report.
  • Compile the script.
  • Execute it in command prompt.
  • The desired report will be generated

Sample VBScript Script:

 Copied
strComputer = "." 
sParentFolder = InputBox("Please Enter folder to gather information on", "Parent Folder") 
sUserName = InputBox("Please enter the user name")
MsgBox sUserName
SParentFoldern=replace(sParentFolder,"\","") 
SParentFoldern=replace(sParentFoldern,":","") 
Set fso = CreateObject("Scripting.FileSystemObject") 
'File name Same As Folder Name without special Characters  
fullfilename=SParentFoldern&".html" 
'WScript.echo fullfilename 
Set fsOut = fso.OpenTextFile(fullfilename, ForAppending, True) 
On Error Resume Next 
fsOut.Writeline ("<html>"&vbCr&"<head>"&vbCr&"<title>File Permission For Folder under &"& SParentFoldern&"</title>"&vbCr&"</head>") 
strTableHead = "<table border=2 bordercolor='#000010' width='90%' id='Table1'>" 
fsOut.Writeline strTableHead 
fsOut.Writeline "<tr><td width='50%'>Folder</td>" & _ 
"<td width='50%'>User Name</td>"&_ 
"<td width='50%'>Permission</td></tr>" 
strTableFoot = "</table>" 
fsOut.Close 
ShowSubFolders FSO.GetFolder(sParentFolder),fullfilename 
OutputFolderInfo sParentFolder, fullfilename 
Set fsOut = fso.OpenTextFile(fullfilename, ForAppending, True) 
fsOut.Writeline strTableFoot  
fsOut.Close 
MsgBox "Done " 
WScript.Quit 
Public Sub OutputFolderInfo(FolderName , sOutfile) 
Const FullAccessMask = 2032127, ModifyAccessMask = 1245631, WriteAccessMask = 1180095 
Const ROAccessMask = 1179817 
Const ForReading = 1, ForWriting = 2, ForAppending = 8 
strComputer = "." 
'Build the path to the folder because it requites 2 backslashes 
folderpath = Replace(FolderName, "\", "\\") 
objectpath = "winmgmts:Win32_LogicalFileSecuritySetting.path='" & folderpath & "'" 
'Get the security set for the object 
Set wmiFileSecSetting = GetObject(objectpath) 
'verify that the get was successful 
RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor) 
If Err Then 
MsgBox ("GetSecurityDescriptor failed" & vbCrLf & Err.Number & vbCrLf & Err.Description) 
Err.Clear 
End If 
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & _ 
strComputer & "\root\cimv2") 
Set colFolders = objWMIService.ExecQuery("SELECT * FROM Win32_Directory WHERE Name ='" & _ 
folderpath & "'") 
For Each objFolder In colFolders 
' Retrieve the DACL array of Win32_ACE objects. 
DACL = wmiSecurityDescriptor.DACL 
Set fso = CreateObject("Scripting.FileSystemObject") 
Set fsOut = fso.OpenTextFile(sOutfile, ForAppending, True) 
For Each wmiAce In DACL 
' Get Win32_Trustee object from ACE 
Set Trustee = wmiAce.Trustee 
If UCase(Trustee.Name) = UCase(sUserName) Then
fsOut.Writeline "<tr><td width='50%'>"&objFolder.Name&"</td>" & _ 
"<td width='50%'>"&Trustee.Domain&"\"&Trustee.Name&"</td>" 
'fsOut.Write objFolder.Name & "," & Trustee.Domain & "\" & Trustee.Name & "," 
FoundAccessMask = False 
CustomAccessMask = Flase 
While Not FoundAccessMask And Not CustomAccessMask 
If wmiAce.AccessMask = FullAccessMask Then 
AccessType = "Full Control" 
FoundAccessMask = True 
End If 
If wmiAce.AccessMask = ModifyAccessMask Then 
AccessType = "Modify" 
FoundAccessMask = True 
End If 
If wmiAce.AccessMask = WriteAccessMask Then 
AccessType = "Read/Write Control" 
FoundAccessMask = True 
End If 
If wmiAce.AccessMask = ROAccessMask Then 
AccessType = "Read Only" 
FoundAccessMask = True 
Else 
CustomAccessMask = True 
End If 
Wend 
If FoundAccessMask Then 
'fsOut.Writeline AccessType 
fsOut.Writeline "<td width='50%'>"&AccessType&"</td></tr>" 
Else 
fsOut.Writeline "<td width='50%'>Custom</td></tr>" 
'fsOut.Writeline "Custom" 
End If 
End If
Next 
Set fsOut = Nothing 
Set fso = Nothing 
Next 
Set fsOut = Nothing 
Set fso = Nothing 
end Sub 
Sub ShowSubFolders (Folder,fname) 
On Error Resume Next  
For Each Subfolder in Folder.SubFolders 
Call OutputFolderInfo(Subfolder.Path,fname) 
Wscript.Echo Subfolder.Path 
call ShowSubFolders (Subfolder,fname) 
Next 
End Sub
 
Click to copy entire script

ADManager Plus

To obtain the report,

  • Select Folders accessible by Accounts in NTFS Permissions report. 
  • Select the domain. Choose the preferred account(s) and choose the computer in the Check For Folders in field by selecting the check box(s) or using the Quick find feature to search for the computer. Click Generate.
  • Click the Permissions button to view the Share permissions and Folder permissions.

Screenshot

A screenshot of ADManager Plus with a report of all the users and their permissions to a particular shared folder
 

» Start 30-day Free Trial

Following are the limitations to obtain report of folders accessible by accounts using native tools like Windows PowerShell:

  • We should give exact ParentFolder name and UserName.
  • User running this script should have permission to read folder permissions.
  • For Subfolders, we have to explicitly mention the number of levels for which we need the permissions.
  • With this script, we cannot fetch the custom permissions available for the accounts.
  • We need to process DACL further to obtain Access Type(Allow/ Deny) and Applies to fields. 
  • Difficulty in obtaining the report in other formats.

ADManager Plus offers the feature of obtaining the Share and folder permissions of the users by choosing 'Folders Accessible by Accounts' option in NTFS permissions report.

Gain complete control over NTFS permissions and file shares with purpose-built reports.

  Get 30-day free trial.
  • Embark on your script-free AD management, reporting, and automation journey with ADManager Plus.
  •  
  • By clicking 'Start your free trial now', you agree to processing of personal data according to the Privacy Policy.
  • Thanks
  • Your download should begin automatically in 15 seconds. If not, click here to download manually.

Related Powershell How-to Guides:

The one-stop solution toActive Directory Management and Reporting

Email Download Link