Advanced NTFS Permissions Output


Hello to all this is my first post here and was trying to get some output for an application team concerning NTFS permissions on shares. I understand how to get output utilizing the Win32_Shares WMI Namespace but their requirements take me into using Win32_LogicalFileSecuritySetting as well when trying to meet their requirements. Their requested output is below:



Type  Account                     Permissions    Apply To                          Permissions Detailed
-----Â ---------------------------Â --------------Â ---------------------------------Â -----------------------------------------------------
Allow ServerName\Administrators      [RWXD–]       This folder only                  Tr/Ex,Lf/Rd,Ra,Rea,Cfi/Wd,Cfo/Ad,Wa,Wea,D,Rp,S
Allow ServerName\Administrators      [Full Control] Subfolders and files only         Tr/Ex,Lf/Rd,Ra,Rea,Cfi/Wd,Cfo/Ad,Wa,Wea,Dc,D,Rp,P,O,S
Allow ServerName\Users               [R-X—]       This folder, subfolders and files Tr/Ex,Lf/Rd,Ra,Rea,Rp,S
Allow CREATOR OWNER               [Full Control] Subfolders and files only         Tr/Ex,Lf/Rd,Ra,Rea,Cfi/Wd,Cfo/Ad,Wa,Wea,Dc,D,Rp,P,O,S
Allow NT SERVICE\TrustedInstaller [Full Control] This folder and subfolders        Tr/Ex,Lf/Rd,Ra,Rea,Cfi/Wd,Cfo/Ad,Wa,Wea,Dc,D,Rp,P,O,S
Allow SYSTEM                      [RWXD–]       This folder only                  Tr/Ex,Lf/Rd,Ra,Rea,Cfi/Wd,Cfo/Ad,Wa,Wea,D,Rp,S
Allow SYSTEM                      [Full Control] Subfolders and files only         Tr/Ex,Lf/Rd,Ra,Rea,Cfi/Wd,Cfo/Ad,Wa,Wea,Dc,D,Rp,P,O,S


Getting the server name and specific path I can get. I also can get the “Type” by checking the security descriptor shown below in my script so far.



Process {
Function Get-NtfsRights($name,$path,$comp)
$path = [regex]::Escape($path)
$share = “\$comp$name”
$wmi = gwmi Win32_LogicalFileSecuritySetting -filter “path=’$path’” -ComputerName $comp
$wmi.GetSecurityDescriptor().Descriptor.DACL | where {$.AccessMask -as [Security.AccessControl.FileSystemRights]} |select `
@{name=“Principal”;Expression={"{0}{1}" -f $
@{name=“Rights”;Expression={[Security.AccessControl.FileSystemRights] $
.AccessMask }},
@{name=“AceFlags”;Expression={[Security.AccessControl.AceFlags] $.AceFlags }},
@{name=“AceType”;Expression={[Security.AccessControl.AceType] $
.AceType }},
$serversfilename = (get-item $serversfile).name
$myDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$Outfile = $myDir + “\outfile.csv”
Get-Content $ServersFile | foreach {
$server = $_
$FullDomain = (Get-WmiObject -class Win32_ComputerSystem -ComputerName $Server).domain
$Domain = $FullDomain.Split(".")[0]
$hidden = “No”
get-WmiObject -class Win32_Share -computer $server | foreach {
$Share = $_
$ShareName = $
if ($ShareName.endswith("$")) {$Hidden = “Yes”}
$path = $Share.path
if (!($path)) {$path = “[N/A]”}

else {
Get-NtfsRights $ShareName $Path $Server



I have other requirements to see if it is hidden and the path etc. Those I can get. The output above I know I’ll have to setup another mask or case loop for different variables. or something. Any help with some output on this guys? Thanks so much for any time you may have to help. I’ve attached a screen shot of the output in case mine above was formatted incorrectly.

I suppose I could create a hash table that encompassed several select case checks for the different required output. Is the function I’m using ample enough to provide the information that I’m trying to get in the output?