Extract a list of network folders of a particular security group with PowerShell

This topic is resolved

Share
Viewing 5 reply threads
  • Author
    Posts
    • #1449021
      Patel
      Participant
      Post count: 5
      Member Points: 496
      Rank: Level 2

      Hi,

      What PowerShell script can I use to extract a list of network folders where a particular security group has access to?

      For example, I want to locate a list of network folders and paths that the security group ‘IT Support’ has access to.

      Thanks,
      Patel

      0
    • #1449027
      Leos Marek
      Moderator
      Post count: 135
      Member Points: 6,585
      Rank: Level 3

      I dont think any script can work this way. You need first to enumerate the list of shares and then check the security descriptors for given group.

      1+

      Users who have liked this topic:

      • avatar
    • #1449031
      Patel
      Participant
      Post count: 5
      Member Points: 496
      Rank: Level 2

      Isn’t there a PowerShell script that allows you to see what file/folder access the security group ‘IT Support’ has on the network?

      Like a trace?

      0
      • #1449561
        Leos Marek
        Moderator
        Post count: 135
        Member Points: 6,585
        Rank: Level 3

        No, it doesnt work that way. Active Directory does not, and even cant, trace that you added a group on some PC NTFS permissions…

        You need a list of shares that you want to examine, then you can check each shared folder if specific group is in the Security descriptor via Powershell. If you dont have such a list then you need to do it like this:

        1. Perform a scan of your network and save hostnames that reply. (or get a list of all servers/computers from your AD).
        2. Try to query each hostname to give you a list of shared folders (of course your account need to have permissions to enumerate this).
        3. Query each folder for SDDL and check if your group is present there.

        Can you describe your request a bit better? I try to see if I have free time tonight to see what can be quickly done.

        0
    • #1452333
      David Figueroa
      Participant
      Post count: 12
      Member Points: 2,432
      Rank: Level 3

      The easiest thing is probably to use an existing access enum tool.. I used to know of one, but the name escapes me.  It would scan your network and look for the specified access.  If I think of it, I will add another comment.

      As far as tracking the group being added, it’s definitely not a function of AD, but you can leverage AD to help you track it.

      1. You need to turn on auditing for NTFS and the shares on all your servers
      2. (optional) turn on event forwarding & configure forwarding for the Security logs
      3. Specifically configure the forwarding of the security event for a permissions change on the NTFS system & shares.
      4. Then you can use a script to monitor the event logs (I’d probably set up a scheduled task based on the event appearing).
      5. You need to have your baseline report already established – once they are added, it won’t show up.  If you suspect bad actors, then it gets tricky, because you also need to monitor for eventlogs being turned, being cleared, etc. With that, I’d definitely want a centralized backup solution of all your eventlogs isolated from that team you are trying to monitor.  (There are a number of tools that do this).

      Coralon

      0
      • #1452375
        Leos Marek
        Moderator
        Post count: 135
        Member Points: 6,585
        Rank: Level 3

        Hi David,

        I would not recommend what you propose 🙂 Turning on such thing on all servers will generate ton of logs and basically waste all other important events… Not the best idea .)

        Also, its not AD functionality, its Windows Auditing. Furthermore, he wants to scan current access of group X, not permissions change. In case of no change for group X on given server this will be never logged and no result given.

        L

        • This reply was modified 4 months, 3 weeks ago by Leos Marek.
        1+
    • #1457303
      David Figueroa
      Participant
      Post count: 12
      Member Points: 2,432
      Rank: Level 3

      I could have sworn that he’d asked for monitoring for changes..

      The auditing would definitely generate a ton of logs; The eventlog forwarding is extremely efficient (MS says they can support ~500,000 nodes with one collector.)  But ultimately, I’d definitely not want to do this, except for specific high sensitivity shares – which in theory, he should be auditing already.

      I believe it was AccessEnum from SysInternals I was looking for..

      https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum

      David F.

      0
    • #1477253
      Patel
      Participant
      Post count: 5
      Member Points: 496
      Rank: Level 2

      Ok, so in the end I used a Tool alternative in-house apps that extract the information for me, but good to know that this cannot be done in power-shell

       

      Thanks for the support

      0
Viewing 5 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account