diff --git a/File Server/FolderAudit.ps1 b/File Server/FolderAudit.ps1 index 40b071b..9b3a43b 100644 --- a/File Server/FolderAudit.ps1 +++ b/File Server/FolderAudit.ps1 @@ -1,9 +1,9 @@ <# .SYNOPSIS - Audits a base directory for broken permission inheritance (closed-off folders). + Audits a base directory for any form of unique/non-inherited permissions. .DESCRIPTION - Loops through all subfolders, identifies where inheritance is blocked, - and exports an inventory to a CSV with a timestamped filename. + Loops through all subfolders, identifies where inheritance is blocked OR + where explicit, non-inherited permissions exist, and exports them to a CSV. .PARAMETER BaseDir The root directory path you want to scan. .PARAMETER ReportFolder @@ -17,12 +17,12 @@ param ( [string]$BaseDir, [Parameter(Mandatory = $false, HelpMessage = "Enter the folder path where the report should be saved.")] - [string]$ReportFolder = "C:\Temp\AuditReports" # Default backup path if not specified + [string]$ReportFolder = "C:\Temp\AuditReports" ) # Generate timestamped filename (Format: ddMMyyyy-HHmm) $TimeStamp = Get-Date -Format "ddMMyyyy-HHmm" -$ReportName = "Permission_Audit_$TimeStamp.csv" +$ReportName = "Non_Inherited_Permission_Audit_$TimeStamp.csv" $OutputFile = Join-Path -Path $ReportFolder -ChildPath $ReportName # Verify directories exist @@ -36,9 +36,9 @@ if (-not (Test-Path $ReportFolder)) { New-Item -ItemType Directory -Path $ReportFolder -Force | Out-Null } -Write-Host "Starting permission audit on: $BaseDir" -ForegroundColor Cyan +Write-Host "Starting comprehensive permission audit on: $BaseDir" -ForegroundColor Cyan Write-Host "Results will be saved to: $OutputFile" -ForegroundColor Cyan -Write-Host "This may take some time depending on the size of the directory tree..." -ForegroundColor Yellow +Write-Host "Scanning for blocked inheritance and explicit local permissions..." -ForegroundColor Yellow # Initialize array to hold results $Report = [System.Collections.Generic.List[PSCustomObject]]::new() @@ -54,19 +54,29 @@ foreach ($Folder in $AllFolders) { # Get Access Control List (ACL) for the folder $Acl = Get-Acl -Path $Folder.FullName - # Check if inheritance is blocked ($true means it IS protected/blocked) - if ($Acl.AreAccessRulesProtected) { - Write-Host "Found unique permissions: $($Folder.FullName)" -ForegroundColor Magenta + # 1. Check if inheritance is blocked ($true) + $IsInheritanceBlocked = $Acl.AreAccessRulesProtected + + # 2. Look specifically for any access rules applied directly to this folder (IsInherited -eq $false) + $ExplicitRules = $Acl.Access | Where-Object { $_.IsInherited -eq $false } + + # If inheritance is blocked OR there are explicit rules present, we need to flag it + if ($IsInheritanceBlocked -or ($ExplicitRules.Count -gt 0)) { - # Extract names of users/groups with explicit access - $ExplicitAccess = $Acl.Access | Where-Object { $_.IsInherited -eq $false } | ForEach-Object { $_.IdentityReference.Value } - $ExplicitAccessString = $ExplicitAccess -join "; " + Write-Host "Found unique/non-inherited permissions: $($Folder.FullName)" -ForegroundColor Magenta + + # Extract names of users/groups with explicit, non-inherited access + $ExplicitAccessString = ($ExplicitRules | ForEach-Object { $_.IdentityReference.Value }) -join "; " + + # Determine the type of change for easy sorting in Excel/CSV + $PermissionStatus = if ($IsInheritanceBlocked) { "Inheritance Blocked" } else { "Inheriting but has Explicit Local Rules" } # Append data to our report object $Report.Add([PSCustomObject]@{ "Folder Name" = $Folder.Name "Full Path" = $Folder.FullName - "Inheritance Blocked"= $Acl.AreAccessRulesProtected + "Permission Status" = $PermissionStatus + "Inheritance Blocked"= $IsInheritanceBlocked "Explicit Access" = $ExplicitAccessString "Last Modified" = $Folder.LastWriteTime }) @@ -80,8 +90,8 @@ foreach ($Folder in $AllFolders) { # Export data to CSV if ($Report.Count -gt 0) { $Report | Export-Csv -Path $OutputFile -NoTypeInformation -Encoding UTF8 - Write-Host "`nAudit complete! Found $($Report.Count) folders with unique/closed permissions." -ForegroundColor Green + Write-Host "`nAudit complete! Found $($Report.Count) folders with unique/non-inherited permissions." -ForegroundColor Green Write-Host "Results exported to: $OutputFile" -ForegroundColor Green } else { - Write-Host "`nAudit complete. No folders with blocked inheritance were found." -ForegroundColor Green + Write-Host "`nAudit complete. All subfolders are perfectly inheriting permissions." -ForegroundColor Green } \ No newline at end of file