File share permission audit
A read-only file share audit that records SMB share permissions, NTFS access, and ownership evidence for review.
Good For
- share cleanup
- least-privilege review
- migration prep
- audit evidence
- ransomware exposure review
How to Use It
- Start with a scoped server or share list tied to a migration, audit, or access review.
- Capture SMB share permissions and preserve account, access type, and granted right.
- Capture NTFS access entries for the same share path so inherited and direct permissions can be compared.
- Flag broad groups such as Everyone, Authenticated Users, Domain Users, and legacy department groups for owner review.
- Separate evidence gathering from remediation so inherited ACL behavior is understood before any change request.
- Export results to CSV and attach owner decisions, exception notes, and follow-up tickets.
Execution Modes
- local
- remote-single-host
- remote-host-list
Inputs and Outputs
Inputs
- computer name
- CSV or TXT file server list
- share owner list
- approved access groups
Outputs
- verbose-console
- csv
Command Starter
Safe to run: read-only
# ---------------------------------------------------------------------
# Operator inputs
# ---------------------------------------------------------------------
$ComputerNames = @('fileserver01')
$OutputPath = '.\file-share-permission-audit.csv'
# ---------------------------------------------------------------------
# Gather SMB share permissions plus root-path NTFS evidence
# ---------------------------------------------------------------------
$Results = foreach ($ComputerName in $ComputerNames) {
try {
Invoke-Command -ComputerName $ComputerName -ErrorAction Stop -ScriptBlock {
foreach ($Share in Get-SmbShare | Where-Object { -not $_.Special }) {
foreach ($ShareAce in Get-SmbShareAccess -Name $Share.Name) {
[pscustomobject]@{
ComputerName = $env:COMPUTERNAME
ShareName = $Share.Name
Path = $Share.Path
EvidenceType = 'SMBSharePermission'
AccountName = $ShareAce.AccountName
AccessControlType = $ShareAce.AccessControlType
AccessRight = $ShareAce.AccessRight
IsInherited = $null
}
}
# The starter captures root ACL evidence. Recursive drift review belongs in a fuller audit pack.
$Acl = Get-Acl -Path $Share.Path -ErrorAction SilentlyContinue
foreach ($Ace in $Acl.Access) {
[pscustomobject]@{
ComputerName = $env:COMPUTERNAME
ShareName = $Share.Name
Path = $Share.Path
EvidenceType = 'RootNtfsPermission'
AccountName = $Ace.IdentityReference.Value
AccessControlType = $Ace.AccessControlType
AccessRight = $Ace.FileSystemRights
IsInherited = $Ace.IsInherited
}
}
}
}
}
catch {
[pscustomobject]@{
ComputerName = $ComputerName
ShareName = $null
Path = $null
EvidenceType = 'CollectionError'
AccountName = $null
AccessControlType = $null
AccessRight = $null
IsInherited = $null
Error = $_.Exception.Message
}
}
}
$Results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
$Results | Format-Table -AutoSizeValidation
- Every reviewed share has SMB permission evidence and NTFS access evidence or an access-error note.
- Broad access entries are classified as approved, exception, unknown, or cleanup candidate.
- Any later permission changes include owner approval, before-state export, and a rollback plan.
Reporting
- Export SMB share permissions and root-path NTFS evidence to CSV.
- Group broad-access entries by server, share, path, and owning team during review.
- Promote repeated use into a recursive inheritance and exposure report pack when deeper ACL drift analysis is needed.
Safety Notes
- This audit is read-only and should not change share or NTFS permissions.
- Do not remove broad access until inheritance, owner approval, user impact, and rollback are documented.