Enumerating NTFS ACE/ACL settings

When dealing with large file stores you occasionally have to review and audit what has been configured (in the future GDPR has the potential to make this compulsory).

There’s some lovely commercial tools out there to do this but if you don’t have access to these then you have to rely on the native Microsoft toolkit.

Most competent Microsoft sysadmins will be aware of cacls.exe and the many wrappers MS provide for it, the most recent being icacls. This is an excellent tool for quickly enumerating, backing up, and changing ACLs but when you hit an audit request to identify the individuals who can access data then cacls will only give you the directly assigned members and the groups.

This is where a little bit of Powershell comes into play as Microsoft have the wonderful Get-Acl, Get-ADGroupMember, and Get-ADUser commandlets.

I’ve taken the framework from this TechNet article to construct (with some suggestions and collaborations from colleagues and Google) the following script which can be run by anyone with read access to a folder structure to enumerate who else has access and what type they have. It’s nowhere near perfect as it doesn’t recurse down through multiple groups and the output isn’t pretty but it works, and it gets an auditor off your back quickly!

#ACE/ACL Enumerator
Param (
[io.fileinfo]$folderpath,
[switch]$detailed,
[switch]$recurse)
#Usage
#acl_enum.ps1 Folderpath -detailed -recurse
if ($recurse)
{
       $tree = Get-ChildItem $folderpath -Directory -Recurse
}
else
{
       $tree = Get-ChildItem $folderpath -Directory
}
foreach ($dir in $tree)
{
Write-Output "****************************"
Write-Output $dir.FullName
Write-Output "****************************"
       $acls = (Get-ACL $dir.FullName).Access
       foreach ($ace in $acls)
       {
          try
          {
                 if ($detailed) {
                           $ace
                           Write-Output "++++++++++++++++++++++++++++"
                           Get-ADGroupMember $ace.identityreference.tostring().split("\")[1]
                           Get-ADUser $ace.identityreference.tostring().split("\")[1]
                           Write-Output "++++++++++++++++++++++++++++"
                    }
                    else {
                           $ace.IdentityReference, $ace.FileSystemRights
                    }
          }
          catch
          {
               continue
          }
       }
}

 

N.B.

ACE is an Access Control Entry, each individual user or group assigned to a folder is an Access Control Entry

ACL is an Access Control List, a list of ACE’s

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s