Scanning File Share NTFS Permission with PowerShell


Hello. Its been quite a while since I have post something here in my blog and its good to be back.

Recently I have a delima of figuring out of a specific Security groups are being used somewhere as an ACE (Access Control Entry) in one of the File Server that we managed. I know that the labor involved is very intensive and I’m just lazy doing this manually. Why would I?

So, I invested some of my time (to be honest, it’s around 2 hours of my time 🙂 ), and google and created a script that will scan the directory of my shared folder and find the security group I am interested in and check if they are being used somewhere in that Heirarchy.

The Code

Download at OneDrive:!ApePyXZrHH4Nhp9scSYX2MN-6oDgiA

# Author: Sheen Ismhael Lim
# Created: 7/2/2016 10:40 PM PHT
# Notes: This Powershell Script was created to assist administrators to look into a file share and compare AD objects
# based on the sAMAccountName entries in a referenced txt file.
# Parameter: ADObjectList -> Points to a file which contains ADObject Identies in a sAMAccountName (domain\objectname)
# Parameter: folderPath -> Points to a folder interested in scanning.

Param (

function Get-FolderAcl() {
 $objectsToFind = Get-Content -Path $ADObjectList
 $qualifiedItems = @()

 Write-Host "Starting script."
 Write-Host "Getting object list to scan from $($ADObjectList)"

 $errors = $null

 foreach ($currentItem in `
 $(Get-ChildItem -Path $folderPath -Recurse -ErrorVariable $errors -ErrorAction SilentlyContinue) | `
 Where-Object { $_.GetType().FullName -eq [System.IO.DirectoryInfo] }) {

 $aclsInFolder = Get-Acl -Path $currentItem.FullName | Select -ExpandProperty Access

 Write-Host "Checking Folder / File: $($currentItem.FullName)"

 foreach ($aclEntry in $aclsInFolder) {
 foreach ($objectEntry in $objectsToFind) {
 if ($objectEntry -eq $aclEntry.IdentityReference) {
 $item = New-Object -TypeName psobject

 $item | Add-Member -MemberType NoteProperty -Name FullName -Value $currentItem.FullName
 $item | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $aclEntry.IdentityReference
 $item | Add-Member -MemberType NoteProperty -Name FileSystemRights -Value $aclEntry.FileSystemRights
 $item | Add-Member -MemberType NoteProperty -Name IsInherited -Value $aclEntry.IsInherited

 $qualifiedItems += $item

 $qualifiedItems | Export-Csv -Path $env:USERPROFILE\Desktop\adobjectlist_scanresult.csv
 $errors | Out-File -FilePath $env:USERPROFILE\Desktop\adobjectlist_scanresult_errors.txt
 $qualifiedItems | Sort-Object FullName | FT FullName, IdentityReference, FileSystemRights, IsInherited -AutoSize

 Write-Host "Script is done running."


How to Use

  1. First you will need to define the security group you want to scan in a “sAMAccountName” attribute fortmat and save it to a text file.So, If you are interested is searching a security group named “Accounting Team”, you will need to define it as “DomainName\Accounting Team” – without the quotes.
    It is also important to know that you can add multiple security group to search for, one line per security group.
  2. Then define the folder path you want to scan relative to the server where you are running the Script.
  3. Make sure the account running the script has read permission to the folder heirarchy your are targetting.


PS C:\Users\Sheen Ismhael Lim> Get-FolderACLv2.ps1 -ADObjectList “c:\securitygrouplist.txt” -folderPath “e:\shared\”



It may look like the script  or the powershell window where you are running the script seems to not do anything, but in reality is it the part of the code medntioned below (line 24 in the script) that takes time to execute.

Get-ChildItem -Path $folderPath -Recurse

After the script has finished running it will generate 2 files in the desktop of the profile where the script is running. The output files are named adobjectlist_scanresult_errors.txt and adobjectlist_scanresult.csv.

Output: adobjectlist_scanresult_errors.txt

This output enumerate the errors the script encountered during its execution. It could the path it cant read of the path where folder path is too long.

Output: adobjectlist_scanresult.csv

This output is main result that we are interested in, it will show you the folder path where the security group assigned matches the ones we listed in the 1st step in the How to Use section and what group has matched on that folder path.


Hope it helps! Good Luck!