Auditing Locally Shared Folders

Here’s a script that enumerates all shared folders on all computers in your domain.

Your local group membership enumeration script was excellent. That satisfies part of my local SAM concerns. Now I need one that will get all the local and domain groups that are tied to shares on that system -- sort of like ShareEnum from SysInternals, but one that works for an entire domain and is vbs and command-line-based. This way we can tell how many systems are being managed with local accounts and groups that should be in the domain context instead.
-- Chris

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Good question, Chris. Keeping tracking of shared folders across your domain is an important consideration. While GUI tools like GFI LANguard offer this feature, I can see how a script would be useful.

Using the same context as my local administrator group enumeration script, I wrote the following script to solve your problem:

'shareaudit.vbs
On Error Resume Next
Const ForWriting = 2
' Format date/time stamp for output file
strTimeDate = Year(Date) & "-" & Month(Date) & _
  "-" & Day(Date) & "~~" & Hour(Time) & "-" & _
   Minute(Time)
' Output file name and path
strLogFile = "C:\ShareAudit-" & strTimeDate & _
   ".txt"

'Create Log File
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile (strLogFile, _
   ForWriting, True)

' Connect to domain and collect computer accounts
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = _
  "SELECT Name, Location FROM 'LDAP://" & _
  objRootDSE.Get("defaultNamingContext") & "'" _
  & "WHERE objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

' Output domain computer accounts, connect to each ' computer, and enumerate shares and permissions
Do Until objRecordSet.EOF
  strComputer = objRecordSet.Fields("Name").Value
  objFile.WriteLine "System: " & strComputer
' connect to computer
Set objWMIsvc = GetObject("winmgmts:\\" & _
   strComputer & "\root\cimv2")
  If Err <> 0 Then
   objFile.Writeline("*** System Unreachable ***")
   Err.Clear
  Else
   ' enumerate shares
   Set colShares = objWMIsvc.ExecQuery _
   ("SELECT * FROM Win32_Share")

  

' display ACE
   For Each objShare In colShares
   objFile.WriteLine "Share Name:" & objShare.Name
   objFile.WriteLine " Path: " & objShare.Path
   Set wmiShareSec = objWMIsvc.Get _
   ("Win32_LogicalShareSecuritySetting.Name='" &_
   objShare.Name & "'")
   RetVal = wmiShareSec._
   GetSecurityDescriptor(wmiSecurityDescriptor)
   DACL = wmiSecurityDescriptor.DACL
   For Each wmiACE In DACL
   Set Trustee = wmiACE.trustee
   objFile.Writeline(" Account: " & _
   Trustee.Domain & "\" & Trustee.Name)
   Set ACEType = wmiACE.AceType
   Select Case int(wmiACE.AceType)
   Case 0 PermType = "Allow"
   Case 1 PermType = "Deny"
   End Select
   objFile.Writeline(" Permission Type: " & _
   PermType)
   Select Case Int(wmiACE.AccessMask)
   Case 1179817 SharePerm = "Read"
   Case 1245631 SharePerm = "Change"
   Case 2032127 SharePerm = "Full Control"
   Case Else SharePerm = "Access Mask " & _    wmiACE.AccessMask
   End Select
   objFile.Writeline(" Assigned Permission: " & _
   SharePerm)
   objFile.Writeline()
   Next
   Next
  End If
  objRecordSet.MoveNext
  objfile.writeline("-------------------------------")
  objfile.writeline()
Loop
' All done!
WScript.Echo("Audit Complete!")

This script will collect a list of each domain computer and then attempt to connect to each computer in the domain. Once the connection is established all hidden and non-hidden shares will be written to the text file whose name and format is specified by strLogFile variable. The output will be a log file on the C drive by default. Here is a sample of the file contents from a system in my lab:

System: DC1
Share Name:Records
   Path: c:\records
   Account: BUILTIN\Administrators
   Permission Type: Allow
   Assigned Permission: Full Control

Share Name:C$
   Path: C:\
   Account: BUILTIN\Administrators
   Permission Type: Allow
   Assigned Permission: Full Control

Share Name:Public
   Path: C:\Public
   Account: MCP\cbeltran
   Permission Type: Deny
   Assigned Permission: Read

Account: MCP\dmcnabb
   Permission Type: Deny
   Assigned Permission: Change

Account: MCP\dwright
   Permission Type: Deny
   Assigned Permission: Full Control

Account: MCP\Accounting
   Permission Type: Allow
   Assigned Permission: Read

Account: BUILTIN\Administrators
   Permission Type: Allow
   Assigned Permission: Full Control

-------------------------------

System: RS1
*** System Unreachable ***
-------------------------------

When run without any modifications, the script will create a log file that includes the date and time in which the script was run. For example, you may see an output file named ShareAudit-2006-12-5~~12-52.txt. Note that the time is included after the consecutive tildes. Once the script completes, it will notify you with an "Audit Complete!" pop-up message. Since you would probably want to know when a system is unreachable (such as if it is turned off when the script is run), I have the script include the line "*** System Unreachable ***" for any system that the script could not establish a connection with. Note that for connecting to and auditing Windows XP SP2 systems, you will need to ensure that the XP firewall is configured to allow remote management. Steps for troubleshooting XP SP2-related issues with WMI can be found in the Microsoft Support Article, "How to Troubleshoot WMI-related Issues in Windows XP SP2."

Auditing shares and assigned share permissions is an important part of network administration. Since some of the command line tools out there only show you the non-hidden shares, having a script that can show you all shares on every system can be quite handy. I hope this script will make your job a little easier.

Featured

  • Microsoft Extends AI Copyright Protections to Its Partners

    Microsoft this week announced several new partner benefits meant to accelerate channel sales amid skyrocketing AI demand.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Close Up Dollar Bill Graphic

    Price Increases Coming to Power BI, Microsoft Teams Phone

    Microsoft is preparing to implement the first price increases for two standalone products: Power BI and Microsoft Teams Phone.

  • Dynamics 365 Getting Data Security Boost from Druva

    Druva is working to extend its SaaS-based data security platform to support Microsoft's Dynamics 365 Sales and Dynamics 365 Customer Service products.