|
| 1 | +# Folder ACL & Share Permission Audit Script |
| 2 | + |
| 3 | +`FolderAclAudit.ps1` is a PowerShell-based auditing tool designed to |
| 4 | +extract **NTFS folder permissions** and **SMB share permissions** from a |
| 5 | +file server. It generates a detailed CSV report including access control |
| 6 | +entries, inheritance details, folder metadata, and share-level rights |
| 7 | +--- all in one place. |
| 8 | + |
| 9 | +This script is ideal for security audits, least-privilege reviews, |
| 10 | +migration prep, and identifying permission drift across large directory |
| 11 | +structures. |
| 12 | + |
| 13 | +## Features |
| 14 | + |
| 15 | +- Audits **folders only** (no files) for faster processing.\ |
| 16 | +- Collects **NTFS ACLs** including explicit/inherited ACEs.\ |
| 17 | +- Pulls **SMB share permissions** (Full / Change / Read).\ |
| 18 | +- Adds a unique **ID column** for easy cross-referencing.\ |
| 19 | +- Includes useful metadata: |
| 20 | + - Parent folder\ |
| 21 | + - Folder depth\ |
| 22 | + - Permission level (Full / Modify / Read / Other)\ |
| 23 | + - ACE order\ |
| 24 | + - Timestamps\ |
| 25 | +- Supports UNC paths (`\\Server\\Share`) or local paths.\ |
| 26 | +- Fully compatible with **DFS namespaces**.\ |
| 27 | +- Logs the entire audit start-to-finish.\ |
| 28 | +- Exports results to Excel-friendly CSV files. |
| 29 | + |
| 30 | +## Output Columns |
| 31 | + |
| 32 | +The generated CSV includes the following columns: |
| 33 | + |
| 34 | + ID |
| 35 | + Path |
| 36 | + ItemType |
| 37 | + ParentFolder |
| 38 | + FolderDepth |
| 39 | + ShareServer |
| 40 | + ShareName |
| 41 | + ShareLocalPath |
| 42 | + ShareAccessSummary |
| 43 | + ACEOrder |
| 44 | + ACEType |
| 45 | + Identity |
| 46 | + FileSystemRights |
| 47 | + PermissionLevel |
| 48 | + AccessControlType |
| 49 | + InheritanceFlags |
| 50 | + PropagationFlags |
| 51 | + IsInherited |
| 52 | + Owner |
| 53 | + LastWriteTime |
| 54 | + CreationTime |
| 55 | + |
| 56 | +Every ACE (Access Control Entry) on every folder becomes **one row** in |
| 57 | +the report. |
| 58 | + |
| 59 | +## Prerequisites |
| 60 | + |
| 61 | +- Windows workstation or server\ |
| 62 | +- PowerShell 5+\ |
| 63 | +- Network access to the file server\ |
| 64 | +- Read permissions on the target folders\ |
| 65 | +- For remote share lookups: WinRM / CIM must be allowed |
| 66 | + |
| 67 | +## Usage |
| 68 | + |
| 69 | +Open a PowerShell prompt and run: |
| 70 | + |
| 71 | +``` powershell |
| 72 | +.\FolderAclAudit.ps1 -RootPath "\\FileServer01\Finance$" |
| 73 | +``` |
| 74 | + |
| 75 | +You may optionally specify custom output paths: |
| 76 | + |
| 77 | +``` powershell |
| 78 | +.\FolderAclAudit.ps1 ` |
| 79 | + -RootPath "\\FileServer01\DeptShares" ` |
| 80 | + -OutputCsvPath "C:\Audit\DeptShares_Audit.csv" ` |
| 81 | + -LogFilePath "C:\Audit\DeptShares_Audit.log" |
| 82 | +``` |
| 83 | + |
| 84 | +If no output paths are provided, the script writes both files to the |
| 85 | +**current directory**. |
| 86 | + |
| 87 | +## DFS Note |
| 88 | + |
| 89 | +The script works with DFS paths.\ |
| 90 | +For multi-target DFS namespaces, audit each backend UNC path |
| 91 | +individually to detect permission drift. |
| 92 | + |
| 93 | +## Example Output (Single Folder Snippet) |
| 94 | + |
| 95 | + ID: 1 |
| 96 | + Path: \\FS01\Finance\Budgets |
| 97 | + Identity: DOMAIN\FileAdmins |
| 98 | + FileSystemRights: FullControl |
| 99 | + PermissionLevel: FullControl |
| 100 | + ACEType: Explicit |
| 101 | + ShareAccessSummary: DOMAIN\FileAdmins:Allow:Full; Everyone:Allow:Read |
| 102 | + Owner: DOMAIN\FileAdmins |
| 103 | + ... |
| 104 | + |
| 105 | +## License |
| 106 | + |
| 107 | +This script is provided as-is. Modify and extend freely. |
0 commit comments