Category Archives: Uncategorized

PowerShell – Export ACLs to Excel File

As an Administrator, you have to monitor how folders are being shared in your domain and manage permissions, making sure that your clients have appropriate access to files and directories. You know very well how Windows NT-based systems allows full control over security and file permissions, but there is no a built-in way to quickly view users’ accesses to a tree of directories on your network shared folder.

Running the Export-ACLToExcelFile.ps1 script

The script presented here provides a snapshot of the users/groups in my domain that have access to the Shared folders and exports ACLs and other info into an Excel Report file.

<# 
.SYNOPSIS Export-ACLToExcelFile.ps1 collects ACL info and exports result to an Excell File. 
.OUTPUTS One .xlsx file to record all ACLs on specified folder. 
.PARAMETER path (Mandatory) specifies the path to the network folder. 
.PARAMETER permission (Mandatory) specifies the AC Entries to be collected. 
.EXAMPLE 
 Export-ACLToExcelFile.ps1 -path \\ServerName\PathToFolderName -permission Default 
 Export-ACLToExcelFile.ps1 -path \\ServerName\PathToFolderName -permission Custom 
.DESCRIPTION Export-ACLToExcelFile.ps1 collects ACL info and exports result to Excell File. 
.NOTES Written by: Alex Dujakovic, Oct 2016 Requires PowerShell Version 3.0 
#>
param( 
[Parameter(Mandatory=$True, Position=0)] 
[string]$path,
[Parameter(Mandatory=$True, Position=1)] 
[string]$permission
) 

As you can see from the portion of the script’s code, it has two mandatory parameters: path and permission and you can run it by typing at the command prompt the following:

Export-ACLToExcelFile.ps1 -path \\ServerName\PathToFolderName -permission Custom

The script outputs an Excel Report file which has two tabs: “ACLs” and “Accounts List”. On the “ACLs” worksheet tab, each row in this report will display the following:  UNC Folder Path, ‘LastWriteTime’ attribute, Owner, Groups and Users, Permissions and the Inheritance property. The picture 1 displays the portion of the Excel Report file for the Z:\Tools folder.

aclexcelreport
Picture 1: display “ACLs” worksheet tab.

In addition to creating a snapshot for the selected folder, I use the Export-ACLToExcelFile.ps1 script as a tool for detecting the security holes and locking down the permissions. Note the two highlighted accounts in the picture 1, with Modify and Full Control access to the Z:\Tools\Transform\Samples folder; in my domain, I want only the security groups to have/control access to the network folders.

On the second tab, named “Accounts List”, there is a sorted list of the security groups and users found in the access control list (ACL).

aclgroupsandusersPicture 2: displays the list of groups/users accounts that are found in ACLs for the selected folder.

Please note that you do not see entries under Groups/Users as follows:

  • “Everyone”
  • “BUILTIN\Administrators”
  • “NT AUTHORITY\Authenticated Users”
  • “NT AUTHORITY\SYSTEM”
  • “BUILTIN\Users”

The reason for this is the second script’s Parameter/Argument and its value “Custom”. As shown in the code below, I use the switch to list all the entries in ACL (“Default) or filter out entries listed above (“Custom”).

Switch($permission){

"Custom" {
   Switch ("$([string]$aclEntry.IdentityReference)"){
    
     "BUILTIN\Administrators" {}
     "Everyone" {}
     "NT AUTHORITY\Authenticated Users" {}
     "NT AUTHORITY\SYSTEM" {}
     "BUILTIN\Users" {}
     Default { 
      
      $intRow = $intRow + 1 
          
      # Account
      $finalWorkSheet.Cells.Item($intRow,4) = "$([string]$aclEntry.IdentityReference)"
      # Permission 
      $finalWorkSheet.Cells.Item($intRow,5) = "$([string]$aclEntry.FileSystemRights)"
      # Inheritance
      Switch("$([string]$aclEntry.IsInherited)"){
        "TRUE"{$finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
        "FALSE"{$finalWorkSheet.Cells.Item($intRow,6).Font.ColorIndex = 3
                $finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
      }
     }
   }   
 }

"Default" {
    $intRow = $intRow + 1 

    # Account
    $finalWorkSheet.Cells.Item($intRow, 4) = "$([string]$aclEntry.IdentityReference)"
    # Permission 
    $finalWorkSheet.Cells.Item($intRow, 5) = "$([string]$aclEntry.FileSystemRights)"
    # Inheritance  
       Switch("$([string]$aclEntry.IsInherited)"){
        "TRUE"{$finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
        "FALSE"{$finalWorkSheet.Cells.Item($intRow,6).Font.ColorIndex = 3
                $finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
       }
     }
    } # End of Switch
   }  # End of foreach ACLs 

Depending on the number of subfolders, this script could run for a very long time and the progress bars are provided for you to follow the progress of a lengthy operation, as shown in the picture 3.

progressbar_aclPicture 3: showing progress bars for folder ACLs and sorting of ACL entries.
This script could be found in the download section – under PowerShell folder. It provides you with a snapshot of the Shared folders’ permissions, giving you a full view of your file system security settings; in addition, it is a solid tool for detecting security holes and locking down permissions where necessary.


PowerShell – Export ACLs to Excel File

As an Administrator, you have to monitor how folders are being shared in your domain and manage permissions, making sure that your clients have appropriate access to files and directories. You know very well how Windows NT-based systems allows full control over security and file permissions, but there is no a built-in way to quickly view users’ accesses to a tree of directories on your network shared folder.

Running the Export-ACLToExcelFile.ps1 script

The script presented here provides a snapshot of the users/groups in my domain that have access to the Shared folders and exports ACLs and other info into an Excel Report file.


<# .SYNOPSIS Export-ACLToExcelFile.ps1 collects ACL info and exports result to an Excell File. .OUTPUTS One .xlsx file to record all ACLs on specified folder. .PARAMETER path (Mandatory) specifies the path to the network folder. .PARAMETER permission (Mandatory) specifies the AC Entries to be collected. .EXAMPLE Export-ACLToExcelFile.ps1 -path \\ServerName\PathToFolderName -permission Default Export-ACLToExcelFile.ps1 -path \\ServerName\PathToFolderName -permission Custom .DESCRIPTION Export-ACLToExcelFile.ps1 collects ACL info and exports result to Excell File. .NOTES Written by: Alex Dujakovic, Oct 2016 Requires PowerShell Version 3.0 #>

param( 
[Parameter(Mandatory=$True, Position=0)] 
[string]$path,

[Parameter(Mandatory=$True, Position=1)] 
[string]$permission
) 

As you can see from the portion of the script’s code, it has two mandatory parameters: path and permission and you can run it by typing at the command prompt the following:

Export-ACLToExcelFile.ps1 -path \\ServerName\PathToFolderName -permission Custom

The script outputs an Excel Report file which has two tabs: “ACLs” and “Accounts List”. On the “ACLs” worksheet tab, each row in this report will display the following:  UNC Folder Path, ‘LastWriteTime’ attribute, Owner, Groups and Users, Permissions and the Inheritance property. The picture 1 displays the portion of the Excel Report file for the Z:\Tools folder.

aclexcelreport
Picture 1: display “ACLs” worksheet tab.

In addition to creating a snapshot for the selected folder, I use the Export-ACLToExcelFile.ps1 script as a tool for detecting the security holes and locking down the permissions. Note the two highlighted accounts in the picture 1, with Modify and Full Control access to the Z:\Tools\Transform\Samples folder; in my domain, I want only the security groups to have/control access to the network folders.

On the second tab, named “Accounts List”, there is a sorted list of the security groups and users found in the access control list (ACL).

aclgroupsandusers
Picture 2: displays the list of groups/users accounts that are found in ACLs for the selected folder.

Please note that you do not see entries under Groups/Users as follows:

  • “Everyone”
  • “BUILTIN\Administrators”
  • “NT AUTHORITY\Authenticated Users”
  • “NT AUTHORITY\SYSTEM”
  • “BUILTIN\Users”

The reason for this is the second script’s Parameter/Argument and its value “Custom”. As shown in the code below, I use the switch to list all the entries in ACL (“Default) or filter out entries listed above (“Custom”).

Switch($permission){

"Custom" {
   Switch ("$([string]$aclEntry.IdentityReference)"){
    
     "BUILTIN\Administrators" {}
     "Everyone" {}
     "NT AUTHORITY\Authenticated Users" {}
     "NT AUTHORITY\SYSTEM" {}
     "BUILTIN\Users" {}
     Default { 
      
      $intRow = $intRow + 1 
          
      # Account
      $finalWorkSheet.Cells.Item($intRow,4) = "$([string]$aclEntry.IdentityReference)"
      # Permission 
      $finalWorkSheet.Cells.Item($intRow,5) = "$([string]$aclEntry.FileSystemRights)"
      # Inheritance
      Switch("$([string]$aclEntry.IsInherited)"){
        "TRUE"{$finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
        "FALSE"{$finalWorkSheet.Cells.Item($intRow,6).Font.ColorIndex = 3
                $finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
      }
     }
   }   
 }

"Default" {
    $intRow = $intRow + 1 

    # Account
    $finalWorkSheet.Cells.Item($intRow, 4) = "$([string]$aclEntry.IdentityReference)"
    # Permission 
    $finalWorkSheet.Cells.Item($intRow, 5) = "$([string]$aclEntry.FileSystemRights)"
    # Inheritance  
       Switch("$([string]$aclEntry.IsInherited)"){
        "TRUE"{$finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
        "FALSE"{$finalWorkSheet.Cells.Item($intRow,6).Font.ColorIndex = 3
                $finalWorkSheet.Cells.Item($intRow,6) = "$([string]$aclEntry.IsInherited)"}
       }
     }
    } # End of Switch
   }  # End of foreach ACLs 

Depending on the number of subfolders, this script could run for a very long time and the progress bars are provided for you to follow the progress of a lengthy operation, as shown in the picture 3.

progressbar_acl
Picture 3: showing progress bars for folder ACLs and sorting of ACL entries.
This script could be found in the download section – under PowerShell folder. It provides you with a snapshot of the Shared folders’ permissions, giving you a full view of your file system security settings; in addition, it is a solid tool for detecting security holes and locking down permissions where necessary.