Creating NTFS Security Report

by Jan 6, 2015

All PowerShell Versions

If you'd like to audit NTFS permissions on your file servers, here is a suggestion how you could start.

This script scans the Windows folder recursively for subfolders. Simply replace $Path with another path to scan other areas of your file system.

$Path = 'C:\Windows'

Get-ChildItem -Path $Path -Recurse -Directory -ErrorAction SilentlyContinue |
  ForEach-Object {
    $result = $_ | Select-Object -Property FullName, ExplicitePermissions, Count, Preview
    $result.ExplicitePermissions = (Get-Acl -Path $_.FullName -ErrorAction SilentlyContinue).Access | 
      Where-Object { $_.isInherited -eq $false }
    $result.Count = $result.ExplicitePermissions.Count
    $result.Preview = $result.ExplicitePermissions.IdentityReference -join ','
    if ($result.ExplicitePermissions.Count -gt 0)
  } | Out-GridView

The script then reads the security descriptors for each subfolder and looks for non-inherited access control entries. If found, it adds this information to the folder object.

The result is output to a grid view window. If you remove Out-GridView, you get information similar to this:

PS> G:\

FullName                   ExplicitePermissions                          Count Preview                   
--------                   --------------------                          ----- -------                   
C:\windows\addins          {System.Security.Access...                        9 CREATOR OWNER,NT AUTHOR...
C:\windows\AppPatch        {System.Security.Access...                        9 CREATOR OWNER,NT AUTHOR...
C:\windows\Boot            {System.Security.Access...                        8 NT AUTHORITY\SYSTEM,NT ...
C:\windows\Branding        {System.Security.Access...                        9 CREATOR OWNER,NT AUTHOR...
C:\windows\Cursors         {System.Security.Access...                        9 CREATOR OWNER,NT AUTHOR...
C:\windows\de-DE           {System.Security.Access...                        9 CREATOR OWNER,NT AUTHOR...
C:\windows\diagnostics     {System.Security.Access...                        8 NT AUTHORITY\SYSTEM,NT ...
C:\windows\Downloaded P... {System.Security.Access...                       11 CREATOR OWNER,NT AUTHOR...


You can take this example as base for more elaborate tools. For example, you can add a list of default trustees (such as "CREATOR", or "SYSTEM"), and exclude these from the results.

Twitter This Tip! ReTweet this Tip!