Cloning share permissions from NTFS permissions on remote servers

As a system administrator, you may encounter situations where adding "Everyone" share permissions is not an option due to security settings. In these cases, you may need to clone the existing NTFS permissions to the share permissions in order to give the appropriate users access to the shared folder. In this blog post, we will discuss a script that automates this process for multiple remote servers.

The process involves looping through each server in the list, then looping through each shared folder on that server and outputting the server name, share name, and folder path.

The script then sets a list of forbidden folders, which are not allowed to have their NTFS permissions cloned to share permissions. If the folder path is not in the list of forbidden folders, the script continues to execute.

Next, the script defines a block of code (a script block) that will be executed on the remote server. This script block starts by getting the NTFS security descriptor for the folder and extracting the access control entries (ACEs) from the descriptor.

The ACEs are then looped through, and the corresponding share permission is granted for each ACE using the Grant-SmbShareAccess cmdlet. The script also handles converting the NTFS permission to the appropriate share permission by using a switch statement.

Finally, the script block is executed on the remote server using the Invoke-Command cmdlet, passing in the required arguments for $folderPath and $ShareName.

Overall, this script allows administrators to easily clone NTFS permissions to share permissions on multiple remote servers, saving time and effort compared to manually setting share permissions, Enjoy!


# Set the list of servers
$serverList = "server1", "server2", "server3"

# Loop through each server
foreach ($server in $serverList) {
    # Get the list of shared folders on the server
    $shares = Get-SmbShare -CimSession $server

    # Loop through each shared folder and output the name and folder path
    foreach ($share in $shares) {
        Write-Output "Server: $server, Share Name: $($share.Name), Folder Path: $($share.Path)"
        # Set the script block to execute on the remote servers
            $folderPath =$($share.Path)
    #Get-Acl -Path $folder
    "Folder Path is $folderPath "
    $ShareName=$($share.Name)

    # Set the list of values to compare against
$forbiddenFolders = "", "C:\", "C:\Windows", "D:\", "E:\", "C:\excludemeyall", "F:\", "G:\", "H:\", "I:\", "J:\", "K:\", "L:\", "M:\", "N:\", "O:\", "P:\", "Q:\", "R:\", "S:\", "T:\", "U:\", "V:\", "W:\", "X:\", "Y:\", "Z:\"
if ($forbiddenFolders -contains $folderPath){ Write-Host "$folderPath is not allowed" -ForegroundColor Red}
# Check if the variable is not equal to any of the allowed values
if (-not($forbiddenFolders -contains $folderPath)) {
    # Perform an action if the variable is not equal to any of the allowed values
    Write-Host "$folderPath is  allowed" -ForegroundColor Green

    if($folderPath){
$scriptBlock = {
    param($folderPath, $ShareName)

    # Get the NTFS security descriptor for the folder
    $ntfsSecurityDescriptor = Get-Acl -Path $folderPath

    # Get the access control entries (ACEs) from the security descriptor
    $ntfsAccessControlEntries = $ntfsSecurityDescriptor.Access | Where-Object {$_.IsInherited -eq $false}

    # Loop through each ACE and grant the corresponding share permissions using the Grant-SmbShareAccess cmdlet
    foreach ($ace in $ntfsAccessControlEntries) {
        $user = $ace.IdentityReference
        $ntfsPermission = $ace.FileSystemRights

        switch($ntfsPermission){
            "ReadAndExecute" {$sharePermission="Read"}
            "ReadAndExecute, Synchronize" {$sharePermission ="Read"}
            "ReadAndExecute, Synchronize, Write" {$sharePermission= "Change"}
            "ReadAndExecute, Synchronize, Write, Modify, ReadPermissions" {$sharePermission="Full"}
            "ReadAndExecute, Synchronize, Write, Modify, ReadPermissions" {$sharePermission="Full"}
            "FullControl" {$sharePermission="Full"}
        }

        Write-Output "User: $user, NTFS Permission: $ntfsPermission, Share Permission: $sharePermission"
        if ($sharePermission) {
           Grant-SmbShareAccess -Name $ShareName -AccountName $user -AccessRight $sharePermission -Confirm:$false
        }
    }
}
}
}
if (-not($forbiddenFolders -contains $folderPath)) {
if($folderPath){
 Invoke-Command -ComputerName $server -ScriptBlock $scriptBlock -ArgumentList $folderPath, $ShareName
 }
 }
    }
   
}

Comments

Post a Comment

Popular posts from this blog

SCORCH 2016 Migration issue: an error occurred saving the activity to the data store Please check the orchestrator management service trace logs

Issue  After migrating to System Center Orchestrator 2016,  you encounter this error: An error occurred saving the activity to the data store Please check the orchestrator management service trace logs  The Management Service log (C:\ProgramData\Microsoft System Center 2012\Orchestrator\ManagementService.exe\Logs) contains only thes line for every attempt 2015-10-15 12:45:02 [3752] 1 COpalisManager::ModifyObject::CheckAccess (HRESULT=0x80070005) 2015-10-15 13:16:09 [3176] 1 COpalisManager::ModifyObject::CheckAccess (HRESULT=0x80070005) 2015-10-15 13:17:21 [3176] 1 COpalisManager::ModifyObject::CheckAccess (HRESULT=0x80070005) Cause This happens because the Runbook has an Email activity with attachment. This is a known bug with System Center Orchestrator 2016. Workaround If you only have few runbooks with  Email activity with attachment .you can perfrom these 2 workarounds: 1)  You need to remove the attachements and re-add in order to ch...
Read more

Useful Orchestrator T-SQL Queries

In this article, I will share some useful T-SQL queries for Orchestrator 2012. --List all active Runbooks in your environment SELECT       [Name]       FROM [Orchestrator].[dbo].[POLICIES]   where [Deleted] = '0' --Find Runbook/Parameter GUIDs for Web Service call Select lower(POLICIES.UniqueID) as RunbookID, lower(CUSTOM_START_PARAMETERS.UniqueID) as ParameterID, CUSTOM_START_PARAMETERS.value From POLICIES INNER JOIN OBJECTS  on POLICIES.UniqueID = OBJECTS.ParentID LEFT OUTER JOIN CUSTOM_START_PARAMETERS on OBJECTS.UniqueID = CUSTOM_START_PARAMETERS.ParentID Where POLICIES.Name = 'CloseIncident' and policies.deleted = 0 --List  Runbooks are currently running SELECT J.[RunbookId], P.[Name], A.[Computer] FROM [Orchestrator].[Microsoft.SystemCenter.Orchestrator.Runtime.Internal].[Jobs] J INNER JOIN [dbo].POLICIES P ON J.RunbookId = P.UniqueID INNER JOIN [dbo].[ACTIONSERVERS] A ON J.RunbookServerId = A.UniqueID WHER...
Read more

Error in Orchestrator Web console and Web Service after moving Database

Image
I encountered these errors with Orchestrator Web console and Web Service Web console Errors: 1) Error executing the current operation [Arg_SecurityException] [ httpWebRequest_WebException_RemoteServer] Arguments: NotFound Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem 2) Error executing the current operation. Web Service Error: Orchestrator server encountered an error processing the request. The exception message is 'Keyword not supported: 'server'.'. See server logs for more details This happened after moving the database server. However, I have used the same process to fix issues with Web Console after a new installation. I updated the Data Store Configuration and the connection string in IIS Manager. This was recommended by this post: https://social.technet.microsoft.com/Forums/en-US/c3afc430-5811-4c8c-a797-79c98459d792/console-fails-to-open-error-executi...
Read more