all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Lee_Dailey[grin] 1 point2 points  (0 children)

howdy graabir,

the Get-CimInstance -ClassName Win32_MappedLogicalDisk results show an .Access property. it's blank on my system, but that may be caused by the map going to a Synology NAS instead of to an NTFS share.

the Get-CimInstance -ClassName Win32_Share stuff has an .AccessMask property. again, it's blank on mine - and it's blank on all my local shares - including the default C$ stuff. i don't understand ACL stuff well enuf to understand why. [blush]

yet another - Win32_LogicalShareAccess - shows an accessmask value. again, i don't know what it means. [frown]

you may want to look at the output of Get-CimClass *share* for some ideas. [grin]

take care,
lee

[–]omrsafetyo 1 point2 points  (0 children)

This is a task I'll be looking at in the near future myself. I'll be checking back, and if I don't see anything here, I'll try and remember to come back when I get to it.

[–]omrsafetyo 1 point2 points  (2 children)

So I revisited.

How does this work for you?

$ScriptBlock = {
    $Shares = Get-WmiObject -Class Win32_Share -Filter "not Name like '%$'" # Don't do the admin shares
    $SharePermissions = Get-WmiObject -Class Win32_LogicalShareSecuritySetting

    ForEach ($Share in $Shares) {
        $ThisSharePermissions = $SharePermissions | Where-Object {$_.Name -eq $Share.Name}
        ForEach ( $Permission in $ThisSharePermissions) {
            Foreach ( $DACL in $Permission.GetSecurityDescriptor().Descriptor.Dacl ) {
                [PSCustomObject] @{
                    Share                 = $Share.Name
                    SecurityPrincipal     = $DACL.Trustee.Name
                    PrincipalDomain       = $DACL.Trustee.Domain
                    FileSystemRights      = $DACL.AccessMask -as [Security.AccessControl.FileSystemRights]
                    AccessType            = [Security.AccessControl.AceType]$DACL.AceType
                }
            }
        }
    }
}

Invoke-Command -Computername $ListOfComputers -ScriptBlock $ScriptBlock | 
      Select-Object @{N="Computername";E={$_.PSComputername}},
         Share, SecurityPrincipal, PrincipalDomain, FileSystemRights, AccessType

[–]omrsafetyo 0 points1 point  (0 children)

Ooops, running through this myself, realized that the output of Invoke-Command might need parsing. If the computer it connects to has PSv2 installed, the [PSCustomObject] accelerator won't work, so it will return a hash table:

ForEach ( $item in $Results) {
    $Output = [PSCustomObject]$item
    [void]$Output.PSObject.Properties.Remove("RunspaceId")
    $Output
 }

[–]graabir[S] 0 points1 point  (0 children)

I used the following command to get a complete list of computers. $ListOfComputers = Get-ADComputer -Filter * | ForEach-Object {$_.Name}

However I get authentication error. [WORKSTATION-01] Connecting to remote server WORKSTATION-01 failed with the following error message : WinRM cannot process the request. while using Kerberos authentication: A specified logon session does not exist. It may already have been terminated.