I am working on a project where I need to be able to audit various users and user group permissions on a NTFS formatted Windows file server. I would like to use PowerShell and have it recursively search through the remote file share or it could be ran on the server itself and have it output all of the permissions it finds either for everything or for the specified user or user group. The goal is to be able to use this for periodic auditing of users and user groups to ensure that permission creep is not occurring and that all permissions are being setup in the same manner by different system administrators. Lastly, it would be used for identifying where we need to make changes when we change user groups in group policy. Are there any common ways of approaching this? Does PowerShell stand up to this task? Would it be possible to have PowerShell output the results into a readable format?
I read a brilliant post a few months ago, dealing with a similar situation by essentially running a script remotely that uses the Get-ACL cmdlet to list acl's for a path recursively, and piping the output trough the Export-CSV cmdlet for a nice overview:
http://jfrmilner.wordpress.com/2011/05/01/audit-ntfs-permissions-powershell-script/
In this case, I think the Sysinternals AccessChk and AccessEnum tools might be a better fit for what you are looking for. They can be found under File and Disk Utilities here.
Similar to the link Judaslscariot1651 provided. I went more toward taking the snapshot of what I know is good and then comparing it whenever I needed by running a script. I compared the file permissions by outputting to XML what it currently found the permissions to be and then compare that to my baseline XML file using
Compare-Object
. May not be exact, but just the way I went about doing it...Note: this was a work in progress at the time and is geared toward particular paths I needed to watch, that I pulled from reading in registry key values. The main gist of what you probably needs starts near "Collecting information on...". I just wanted to provide all of the code to show how/what I was doing.