Extract a list of network folders of a particular security group with PowerShell
This topic is resolved
- Wed, Oct 2 2019 at 1:38 am #1449021
What PowerShell script can I use to extract a list of network folders where a particular security group has access to?
For example, I want to locate a list of network folders and paths that the security group ‘IT Support’ has access to.
- Wed, Oct 2 2019 at 1:54 am #1449027
- Wed, Oct 2 2019 at 1:57 am #1449031
Isn’t there a PowerShell script that allows you to see what file/folder access the security group ‘IT Support’ has on the network?
Like a trace?0
- Wed, Oct 2 2019 at 4:53 am #1449561
No, it doesnt work that way. Active Directory does not, and even cant, trace that you added a group on some PC NTFS permissions…
You need a list of shares that you want to examine, then you can check each shared folder if specific group is in the Security descriptor via Powershell. If you dont have such a list then you need to do it like this:
- Perform a scan of your network and save hostnames that reply. (or get a list of all servers/computers from your AD).
- Try to query each hostname to give you a list of shared folders (of course your account need to have permissions to enumerate this).
- Query each folder for SDDL and check if your group is present there.
Can you describe your request a bit better? I try to see if I have free time tonight to see what can be quickly done.0
- Thu, Oct 3 2019 at 5:03 am #1452333David FigueroaParticipantPost count: 12Member Points: 2,622Rank: Level 3
The easiest thing is probably to use an existing access enum tool.. I used to know of one, but the name escapes me. It would scan your network and look for the specified access. If I think of it, I will add another comment.
As far as tracking the group being added, it’s definitely not a function of AD, but you can leverage AD to help you track it.
- You need to turn on auditing for NTFS and the shares on all your servers
- (optional) turn on event forwarding & configure forwarding for the Security logs
- Specifically configure the forwarding of the security event for a permissions change on the NTFS system & shares.
- Then you can use a script to monitor the event logs (I’d probably set up a scheduled task based on the event appearing).
- You need to have your baseline report already established – once they are added, it won’t show up. If you suspect bad actors, then it gets tricky, because you also need to monitor for eventlogs being turned, being cleared, etc. With that, I’d definitely want a centralized backup solution of all your eventlogs isolated from that team you are trying to monitor. (There are a number of tools that do this).
- Thu, Oct 3 2019 at 5:09 am #1452375
I would not recommend what you propose 🙂 Turning on such thing on all servers will generate ton of logs and basically waste all other important events… Not the best idea .)
Also, its not AD functionality, its Windows Auditing. Furthermore, he wants to scan current access of group X, not permissions change. In case of no change for group X on given server this will be never logged and no result given.
- This reply was modified 6 months ago by Leos Marek.
- Sat, Oct 5 2019 at 12:42 pm #1457303David FigueroaParticipantPost count: 12Member Points: 2,622Rank: Level 3
I could have sworn that he’d asked for monitoring for changes..
The auditing would definitely generate a ton of logs; The eventlog forwarding is extremely efficient (MS says they can support ~500,000 nodes with one collector.) But ultimately, I’d definitely not want to do this, except for specific high sensitivity shares – which in theory, he should be auditing already.
I believe it was AccessEnum from SysInternals I was looking for..
- Wed, Oct 16 2019 at 2:28 am #1477253
Ok, so in the end I used a Tool alternative in-house apps that extract the information for me, but good to know that this cannot be done in power-shell
Thanks for the support0
- You must be logged in to reply to this topic.