top of page
Search
  • aldern00b
    • Dec 30, 2022
    • 4 min read

Enumerate Network Share Permissions with PowerShell

OK, I'll be honest, this isn't as clean as I'd like it to be but here's what we got. I'd love to know how yo combined this into one single script... and if I get it working before you do, I'll update this. 


Get-ChildItem -Path "[NETWORK UNC PATH]" | % {
    $_.FullName | Out-File -FilePath "C:\Users\AlderN00b\Desktop\Permissions.txt" -Append;
    Get-Acl -Path $_.FullName | % {
        $_.Access | where {$_.IdentityReference -match "[DOMAIN]"}
    } | FT IdentityReference -Wrap | Out-File -FilePath "C:\Users\AlderN00b\Desktop\Permissions.txt" -Append;
    #Start-Sleep 5
}

OK, so the first part of the two-part script is a call to Get-ChildItem to list out our network shares, one at a time. This will take a string UNC path and get all the folders there. If you want to get all the folders under it, just add the -Recurse option after the string. 

Get-ChildItem -Path "[NETWORK UNC PATH]"

We're going to pipe that to a script block {} which first takes the UNC folder name it finds ($_.FullName) and send it to a file using Out-File so we have "headers" for each of the folders we're looking at. Be sure to use -Append so it doesn't overwrite the file contents. 

| % {
    $_.FullName | Out-File -FilePath "C:\Users\AlderN00b\Desktop\Permissions.txt" -Append;

Next we use the Get-Acl function, providing it the path of whatever folder we're currently working with (the one it found previously under $_.FullName). 

Get-Acl -Path $_.FullName

The next pipe is sending us to another script block where we use the $_.Access variable (the list of security groups that have access to this folder). We have that piping the data to a where statement that is only recording the security groups that start with our domain - I don't care about local permissions, just network permissions.


So it doesn't cut off any long names it finds we can pipe that to the format table (FT), which uses the IdentityReference property (this is the single entry from the list of security groups it found previously. PowerShell keeps everything as an object and you have to parse each entry using a property from that object.), followed by the -Wrap. Sometimes wrap makes things look ugly, if that happens for you try swapping it out for -AutoSize. 

| % {
        $_.Access | where {$_.IdentityReference -match "[DOMAIN]"}
    } | FT IdentityReference -Wrap

Finally, we send the IdentityReference it finds to the same output file, right under the folder name we previously typed - again, remembering to -Append so we don't overwrite. As a tip, if you're troubleshooting or testing it's always a good idea to have some sort of a break so you can see the data without filling up the screen. Here I've commented out by break, which is a sleep statement that sleeps for 5 seconds. 

| Out-File -FilePath "C:\Users\AlderN00b\Desktop\Permissions.txt" -Append;
    #Start-Sleep 5
}

That should handle the first part of the script you should have a nice text file that lists the folder name, followed by all the security groups associated with it: 

\\[UNC PATH OF FOLDER]

IdentityReference         
-----------------         
[DOMAIN]\[SECURITY GROUP 1]
[DOMAIN]\[SECURITY GROUP 2]
[DOMAIN]\[SECURITY GROUP 3]
[DOMAIN]\[SECURITY GROUP 4]

Once we have that we're ready for part two - getting a list of users who belong to that security group.


To prep for this second part you'll have to do some modification to that text file we just made, create a new file so we have this one is left as a backup. First, we'll remove the folder name and headers, leaving us with just the security groups.


Remove these: 

\\[UNC PATH OF FOLDER]

IdentityReference         
-----------------

Next, I'd suggest using find and replace in something like Notepad++ to remove the domain portion of the security group. The only thing we want in here is the security group name:


[DOMAIN]\[SECURITY GROUP 1]
[DOMAIN]\[SECURITY GROUP 2]
[DOMAIN]\[SECURITY GROUP 3]
[DOMAIN]\[SECURITY GROUP 4]

Once we have that file set, here's the second script:

foreach($line in Get-Content -Path "C:\Users\AlderN00b\Desktop\secGroups.txt"){
    Write-Host $line;
    $line | Out-File -FilePath "C:\Users\AlderN00b\Desktop\secGroupUsers.txt" -Append;
    Get-ADGroupMember -Identity $line | ft name -AutoSize | Out-File -FilePath "C:\Users\AlderN00b\Desktop\secGroupUsers.txt" -Append
}

What we're doing here is using Get-Content to get the data from the text file and then, grabbing each line - one at a time, from the new text file we made. 

foreach($line in Get-Content -Path "C:\Users\AlderN00b\Desktop\secGroups.txt")

Next we're going to output to the screen the name of the folder we're currently working with so we can follow along (Write-Host). In a script block, it will take the current line it's reading and send that as "headers" for the new document we'll be making:

{
    Write-Host $line;
    $line | Out-File -FilePath "C:\Users\AlderN00b\Desktop\secGroupUsers.txt" -Append;

The second part of that script block will use the AD connector to get the AD Group Members of the security group it's reading from the text file. It will format the table with just the user name (name) and use -AutoSize this time, since some people have really long names. We'll then pipe all that data to our new text file, being sure to Append. 

Get-ADGroupMember -Identity $line | ft name -AutoSize | Out-File -FilePath "C:\Users\AlderN00b\Desktop\secGroupUsers.txt" -Append
}

Your new file should look something like this:


[SECURITY GROUP NAME]

name                 
----                 
[USER 1]
[USER 2]
[USER 3]
[USER 4]

And there ya have it. You'll have two files, one showing the UNC folder path with the security groups of each folder. You can then cross-reference that with the second file, which lists the users of those groups.


20 views0 comments

Recent Posts

See All

Comentários

bottom of page