- Add a domain user or group to local administrators with PowerShell - Wed, Mar 19 2014
- Create a list of local administrators with PowerShell - Wed, Mar 5 2014
- Remotely query user profile information with PowerShell - Tue, Nov 26 2013
Admins are often engaged in security audit activities. One common action item is to find all network shares with Full Control to Everyone and remove those permissions. Some tools are available on the Internet to do this, but a PowerShell script can be easily adapted for your purposes.
PowerShell script description ^
The PowerShell script described uses the Win32_LogicalShareSecuritySetting WMI class to query shares and their share permissions. The script returns a list of objects with details about each share and the security permissions set. The following command queries the shares:
$Shares = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $Computer -ErrorAction Stop
Once the script gathers information about the shares, it processes each share in the list and queries name and security descriptor details. With this collected data, the script creates a new PSObject with the details we are interested in. The share name is a direct property ($Share.Name) for the object returned from the WMI query. Collecting security information is little more complex.
The script uses the GetSecurityDescriptor() method of the share object to get the security permissions list. The returned security permissions are again objects derived from the Win32_ACE WMI class. These security objects contain information about the account (user or domain) that has access to the share, the access mask (Full Control, Read, Write), and the access type (Allow/Deny/Audit). The script verifies the shares where the security group Everyone has Full Control permissions using the following IF condition:
if($Perm.Trustee.Name -eq "EveryOne" -and $Perm.AccessMask -eq "2032127" -and $Perm.AceType -eq 0) {
Input ^
The script takes two arguments:
- ComputerName: Name of the computer(s) on which you want to find the shares with Everyone having Full Control. You can pass computer name(s) or pipe the input to the script. See the Usage Examples section for some examples.
- OutputDir: This is an optional parameter. By default, the script displays the output in Object format. If you want to get the list of shares where Everyone has Full Control in a single text file, specify the path of the folder where you need this file. When this parameter is specified, the script generates the list of shares and saves the details in a file called “Share Permissions <datetime>.log” in the folder you specified.
Output ^
By default, the script generates a table with three columns: EveryOneFullControl, ComputerName, and ShareName. The EveryOneFullControl column indicates whether a given share is configured with Everyone having Full Control or not. If so, the value is set to $true; if not, it is set to $false. The ComputerName column specifies the computer name on which the share is present. The ShareName column identifies the name of the share. For example:
PowerShell script output - Security group Everyone has Full Control permissions
Usage Examples: ^
Find shares with Everyone having Full Control on a remote computer called PC1
.\Get-NetworkShares.ps1 -ComputerName PC1
Do the same operation (#1) on multiple computers:
.\Get-NetworkShares.ps1 -ComputerName PC1, PC2, PC3
Read server names from a text file and query for share details:
.\Get-Content c:\servers.txt | .\Get-NetworkShares.ps1
Save share details where Everyone has Full Control in a text file:
.\Get-NetworkShares.ps1 -ComputerName PC1 -OutputDir "C:\OutputFolder"
Download the PowerShell script
Thanks for the script. It helped me.
How can i do it for a subnet i.e. 172.16.3.1 to 172.16.3.254
Shekhar asks a good question, I know it was 2 years ago but can someone answer it?
In reply to Shekhar’s question, you can simply swap in the IP addresses instead of computer names.
How to filter only shared folders? It lists printers too.
Thanks!
Nice script!!!
Is it possible to scan a domain?
New-Object : A positional parameter cannot be found that accepts argument ‘鳳rop’.
At C:\nirav\sadmin\share_folder_permission.ps1:12 char:16
+ $OutputObj = New-Object 傍ypeName PSObject 鳳rop (@{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-Object], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.NewObjectCommand
New-Object : A positional parameter cannot be found that accepts argument ‘鳳rop’.
At C:\nirav\sadmin\share_folder_permission.ps1:56 char:17
+ $OutputObj = New-Object 傍ypeName PSObject 鳳rop (@{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-Object], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.NewObjectCommand
The property ‘ShareName’ cannot be found on this object. Verify that the property exists and can be set.
At C:\nirav\sadmin\share_folder_permission.ps1:62 char:4
+ $OutputObj.ShareName = $Share.Name
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound
The property ‘EveryOneFullControl’ cannot be found on this object. Verify that the property exists and can be set.
At C:\nirav\sadmin\share_folder_permission.ps1:66 char:6
+ $OutputObj.EveryOneFullControl = $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound
傍 = -T
鳳 = -P
All four lines should read:
New-Object -TypeName PSObject -Prop
.\Get-Content c:\servers.txt | .\Get-NetworkShares.ps1
This command using two scripts, Get-NetworkShares.ps1 and .\Get-Content ?
Where to get “.\Get-Content” script?
Get-Content is not a script, it is cmdlet that comes with PowerShell. You can find more information about the cmdlet here.
This Script provides output only for Sharing permissions not NTFS/Security Permission.
Script should check both Sharing and NTFS permissions and then should give output with effective permissions.
it’s too new for me. there is a way to make it with powreshell 2.0 ?
Thanks.
@Lorenzo
Microsoft is going to deprectate Powershell 2.0 in the next release of Windows 10 and probably also Windows Server 2016.
If you want to “survive” in IT you must work with the newest technologies every time it’s possible.
Since Windows 8 and Windows Server 2012 we have a new cmdlet to achieve all this even easier.
Please have a look at the Get-SmbShareAccess cmdlet.
https://technet.microsoft.com/en-us/library/jj635711(v=wps.630).aspx
I have an old infrastructure with the most of operating system with powershell 2.0 and Windows server 2008 r2. i need a solution.
Luc, i have an old infrastructure with Windows server 2008r2. i need a solution for this type of os and powershell 2.0.
sorry.
@Lorenzo
Do you know that you can install Powershell 5.1 on Windows Server 2008 R2?
Despite you won’t have the Get-SmbShareAccess cmdlet, you will have plenty of other improvements.
To come back to your initial need, if you have only Powershell 2.0 you have to pass through the knowledge of the article above to manage share permissions. Unfortunately, there is no easier method.
how to get full physical path within this script
Hi Anil,
Within the script's shares loop, you can use Path property to get the physical path of the share