HOWTO: Unique NTFS Permissions Reporting Tool

If you found this post via a search engine, you’ve likely received a ticket/request from some manager requesting an audit report of the permissions on an important share within your company. Unfortunately for you, this folder contains literally tens of thousands of folders and hundreds of thousands of files.  Oh and since there has been no proper governance of it over the years, inheritance is broken all over the place and permissions are assigned many levels deep with no rhyme or reason.  You’ve now been tasked with cleaning this up.  You realize that trying to analyze this manually is simply impossible so you’re looking for some kind of tool to assist you.  You’ve found tools like the NTFS Permissions Reporter (http://www.cjwdev.com/Software/NtfsReports/Info.html) but quickly found this costs hundreds of dollars in order to produce any kind of intelligible report.  You’re not allowed to spend any money so you’re stumped.  So now what?

I found myself recently in this exact situation and decided to use this as my first real attempt at building a full-fledged tool with PowerShell.  Wait!  Don’t run away yet.  There is nothing to be afraid of here as I’ve designed this tool to be useful even if you have absolutely no PowerShell experience.  Again, you don’t care how you get the report, you just care that it’s readable.  That’s what I’m here to help you with.  The tool to do that I call the ntfsreporter and it works as follows:

  • Accepts a parent folder (can be a local folder or a UNC path on a remote machine)
  • Builds a list of all files and folders including all subfolders and files along with the permissions assigned to each

Here’s where it gets interesting:

  • Compares the permissions on each item to that of its parent.  If the permissions match, it is ignored.  If the permissions don’t match, this means someone has unexpected rights so include it in the report
  • Has the option to easily specify a list of accounts to automatically ignore in the report.  So if you have Domain Admins or some special account that has access everywhere anyway, you can easily exclude it
  • Has the option to include SIDs if desired for user accounts that no longer exist but still have permissions allocated (disabled by default)
  • Clearly identifies what permissions have been added or removed on a per file and folder basis

Does this sound like it might be helpful for you?  Excellent, let’s get started.

Requirements

  • PowerShell 3.0 or newer (Available here if required)
  • Run as an account with permissions to read the permissions on the destination folder (typically a Domain Admin account)

Installation and Usage

You may receive an alarm about scripts being disabled

image

If so, close your PowerShell session and re-launch PowerShell as an administrator and type Set-ExecutionPolicy RemoteSigned

image

  • Go back into C:\Temp and type Unblock-File .\ntfsreporter.psm1.  If this works, it will not return any output
  • Try to import the module again

image

  • You are now ready to use the NTFS reporting tool.  Type:

Get-UniqueNTFSPermissions [Local or UNC Path]

  • In this case, let’s use c:\accountinghome which is my test folder with a bunch of specific permissions configured
  • The tool will take a while to run depending on the number of files and folders.  A progress bar will be displayed during execution

image

  • Once it’s finished, you’ll have four columns:
    • File/FolderPath / Assigned NTFS Permissions/ Accounts added compared to the parent permission / Accounts removed compared to the parent permission

image

  • As we can see, we have a number of permissions for CREATOR OWNER and BUILTIN\Administrators we don’t care about.  To remove these use the parameter –ExcludedAccounts which accepts a comma delimited list

image

  • It’s still kind of hard to read so let’s export it to the clipboard so we can paste it into Excel being careful to use a different delimiter character than a comma as that is already used to separate permissions

Get-UniqueNTFSPermissions c:\accountinghome –ExcludedAccounts “CREATOR OWNER, BUILTIN\Administrators” | ConvertTo-CSV –Delimiter * –NoTypeInformation | clip

image

  • As you can see, it’s not exactly readable yet.  In order to separate out the columns, highlight all of column A and choose Data from the Ribbon and select Text To Columns
  • Choose Delimited and then select Other and type in an asterisk (aka the “*”) and press Finish

image

  • Congratulations, you now have an intelligible report of only the unique NTFS permissions on the folder you provided and all sub folders!

If the script ran into any “access denied” or other problems accessing any files or folders, they will all be displayed first.  Also as noted, if the file or folders permissions match those of the parent, they are not included in this report.  This makes the resulting report much, much easier to digest and analyze.

image

What can you expect in terms of performance?  On my machine using a local SSD, this script was capable of scanning roughly 120 folders/files per second.  That works out to be roughly 430,000 files/folders per hour, give or take.  Put another way, if you were to leave this script running say over night for a 10 hour period, it would be capable of scanning roughly 4.3 million files/folders.  Note however that I have tested it at this scale and so it may not function as expected.  I have scanned 120,000 items without issue however so I’m optimistic it will scale.  It’s also worth noting that I have also included a full help system that can be accessible by typing Get-Help Get-UniqueNTFSPermissions –showwindow along with full comments within the code itself if you want to dig in and make changes to suit you needs.  Be sure to check out the examples (Get-UniqueNTFSPermissions –examples) for additional tricks on how to use this cmdlet!

This represents many hours of frustration, trial and error but the end result is something I hope many people will find useful.  If you find any bugs or make any improvements, feel free to leave a comment!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.