I think all of you who are administrating file servers, file shares and their permissions, maybe also together with colleagues, will know this situation. Especially at large and complex structures, there are some permissions for users directly granted at the folder and not via the Active Directory / LDAP group. Maybe there are also some wrong AD groups set or inheritance is broken. I want to show you how you can recursively generate an Access Control List Report (NTFS permissions), which is a good basis to clean up your file share permissions. You can Generate ACL Report FileShare with PowerShell.
Basically it is a very simple script, but I will quickly go through it. Of course you need to define the UNC path to the file share or folder. Then you will loop through all the existing directories with a Foreach. At each folder you will get the permissions with Get-ACL. Then you need another Foreach to get through all the granted permissions which are inherited or directly set. Then you will add each line to your report and finally export it as a CSV file for further processing. That’s it!
$FolderPath = dir -Directory -Path "\\fileserver\fileshare"
$Report = @()
Foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
$Properties = [ordered]@{'FolderName'=$Folder.FullName;'AD
Group or
User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Report += New-Object -TypeName PSObject -Property $Properties
}
}
$Report | Export-Csv -path "C:\scripts\FolderPermissions.csv"
You can extend this script by sending the report as email message directly via PowerShell, look here. You can also create a scheduled task / cronjob for this script to Generate ACL Report FileShare periodically.
