Understanding and properly configuring file server permissions is crucial for managing access control and ensuring data security within an organization.
Best practice recommends assigning permissions through group membership rather than directly to individuals. This will ensure that sensitive information is protected, unauthorized access is prevented, and users will be able to perform their tasks without compromising data integrity.
By determining how permissions are assigned and identifying those users who have directly applied file server permissions, you can easily remove inappropriate access and thereby strengthen your IT system and data security.
In this guide, we will look first at the native way of using PowerShell to find users who have direct permissions on file shares and then look at a more straightforward approach using the Lepide Data Security Platform.
Using PowerShell
Open the PowerShell ISE on your file server and create a new script with the following code:
$search_folder = "\\share\path\"
$out_file = "C:\temp\directpermissionsexport.csv"
$out_error = "C:\temp\errors.csv"
$items = Get-ChildItem -Path $search_folder -recurse
$found = @()
$errors = @()
ForEach ($item in $items) {
try {
$acl = Get-Acl $item.fullname
ForEach ($entry in $acl.access) {
If (!$entry.IsInherited) {
$found += New-Object -TypeName PSObject -Property @{
Folder = $item.fullname
Access = $entry.FileSystemRights
Control = $entry.AccessControlType
User = $entry.IdentityReference
Inheritance = $entry.IsInherited
}
}
}
} catch {
$errors += New-Object -TypeName PSObject -Property @{
Item = $item.fullname
Error = $_.exception
}
}
}
$found |
Select-Object -Property Folder,User,Control,Access,Inheritance |
Export-Csv -NoTypeInformation -Path $out_file
$errors |
Export-Csv -NoTypeInformation -Path $out_err
Specify the parameters below and run the script:
$search_folder: enter a path to a shared folder you want to inspect for direct permissions
$out_file: enter a path to a file with results
$out_error: enter a path to an error log file
Using the Lepide Data Security Platform
A more straightforward approach, which requires no knowledge of PowerShell scripting, is to use one of the many pre-defined reports included within the Lepide Data Security Platform. The following is an example of the Permissions by Object Report which shows how permissions have been derived:
To run this report:
- Select Lepide Trust, Reports
- From here, expand Current Permission Analysis
- Select Permissions by Object
- Select Generate Report
- Expand the File Server icon and permissions for the selected folder will be displayed
The report can be filtered, sorted and exported to CSV and PDF formats.
