NTFS Permission Checker

I wasn’t quite satisfied with other tools out there to view and report on NTFS Permissions on a shared drive.

The tools where either too complex to use, large installers, or the PowerShell syntax was a little annoying; I want a 1 line tool to do my job for me. So, I created a small script that uses NTFSSecurity, which is obtainable from here.

I’ll go through the script I made with you, and discuss how it works, and why I made it so basic. There is literally no error handling in the script. If I ever find the need to error-log and make this robust, I’ll come back to it.


The Variables

This script requires 3 variables for it to work:

  1. The username of the logged in user (for importing the module);
  2. The path of the module to be stored (we needed the username to parse this into the script) and;
  3. A variable to test the path to the module.

Let it be stated that if the module does exist, the ISE window will throw errors when trying to unzip the files; I could ignore these, or remove them if I wanted.

<#
This sets the environment variables for the installation of NTFS permissions.
This should be robust enough to work on all Windows platforms supporting PowerShell.
#>
$User = $env:USERNAME
$PathToModule = "C:\Users\$User\Documents\WindowsPowerShell\Modules\NTFSSecurity"
$TestPathModules = (Test-Path $PathToModule)

Preparing Client

The next step is to grab the files from the web (note the function download-ntfs-perimissions), and then installs the modules for PowerShell to use.

The code will run each time you run the script, it could be mitigated by using a If ($Path -eq $True) (skip) function similar to the $TestPathModule above, but honestly, it just bypasses the process with errors if it already exists.

<#
This test the abovementioned path, and if it does not exist, it creates it.
This path to module is where we will store the actual module upon completion.
#>
function testpath-module {
If ($TestPathModules -eq $True) {cls}
 else {
 mkdir "$PathToModule"
 }
}

<#
This function downloads to module from the web, and then outputs it to the directory required.
#>
function download-ntfs-permissions {

$URL = "https://goo.gl/zPfrhH"
 $output = $PathToModule
 Start-BitsTransfer -Source $url -Destination $output
}

<# 
This function simply expands the module in the file path.
#>

function install-module-NTFS {
 cd $PathToModule
 Expand-Archive -Path "NTFSSecurity.zip" -DestinationPath $PathToModule
}

<#
This executes the above mentioned functions in order to get the NTFS permissions installed.
#>
function prepare-client {
 testpath-module
 download-ntfs-permissions
 Install-Module-NTFS
 Import-Module NTFSSecurity
 cls
}
<#
Calls the 1 function, which calls the other 3 functions.
#>
prepare-client

Grabbing The Data

The last portion of the script asks what directory you wish to do (Use the \\share\root as it recurses and does only 1x instance) and then grabs 3 types of data:

  • Permissions excluding those inherited;
  • Ownership of the files and;
  • Effective Access on the files.

It grabs the data to screen, and writes a copy to C:\tmp (Again, no error logging is involved) for later usage.

<#
This question dictates where the process will look into.
This is required to perform the test. It has no error logging for invalid paths or anything of the sort.
#>
$ItemPath = Read-Host "What is the UNC path of where you want to view"

<#
Grabs all permissions on the file that are not inherited.
#>
function excludeinheritedpermissions { 
 Get-Item $ItemPath | Get-NTFSAccess –ExcludeInherited
}

<#
Includes Effective Access.
#>
function includeeffectiveaccess {
 Get-Item $ItemPath | NTFSEffectiveAccess 
}

<#
Grabs the owners of the files.
#>
function gettheowners {
 $ItemPath | Get-NTFSOwner
}

<# 
Nest the functions so I only need to call 1 function ever
#>
function performquery {
 excludeinheritedpermissions
 includeeffectiveaccess
 gettheowners
}

<#
Calls the function to perform the work.
#>
performquery



<#
Saves the files as an output
#>

function savefiles {
 excludeinheritedpermissions | Out-File C:\tmp\excludeinheritedpermissions.csv
 includeeffectiveaccess | Out-File C:\tmp\includeeffectiveaccess.ncsv
 gettheowners | Out-File C:\tmp\gettheowners.csv
 }

savefiles
$ItemPath = NULL
start C:\tmp
exit