Authenticated Users drive ACL scanner

Good For

• Finding servers where drive roots grant Authenticated Users Modify or FullControl
• Creating review evidence for security tickets and remediation planning
• Comparing exposure across a host list or AD-filtered server scope
• Pre-change validation before tightening NTFS permissions

How to Use It

1. Choose target scope: either provide a server list in servers.txt or query Active Directory for enabled Windows Server computer objects.
2. Run the scan with an account that can read WMI/CIM and NTFS ACLs remotely over PowerShell remoting.
3. Review console output for any drive root entries where Identity is Authenticated Users and Rights include Modify, Write, or FullControl.
4. Export full findings to CSV and attach them to the ticket or review pack.
5. Validate flagged systems manually on a small sample before proposing remediation, especially where application data or legacy software may rely on permissive ACLs.

Execution Modes

• remote-host-list
• ad-filtered

Inputs and Outputs

Inputs

• servers.txt
• AD LDAP filter
• Output path

Outputs

• verbose-console
• csv

Command Starter

Safe to run: read-only

Import-Module ActiveDirectory
$ServerListTargets = Get-Content .\servers.txt
$AdServerTargets = Get-ADComputer -LDAPFilter '(&(objectCategory=computer)(operatingSystem=*Server*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' | Select-Object -ExpandProperty Name
$Servers = $ServerListTargets  # Use this mode for a curated host list
$Servers = $AdServerTargets    # Or switch to this mode for AD-discovered servers
Invoke-Command -ComputerName $Servers -ScriptBlock { Get-CimInstance Win32_LogicalDisk -Filter "DriveType=3" | ForEach-Object { $acl = Get-Acl ($_.DeviceID + '\'); foreach ($ace in $acl.Access) { if ($ace.IdentityReference -match 'Authenticated Users' -and $ace.AccessControlType -eq 'Allow') { [pscustomobject]@{ ComputerName=$env:COMPUTERNAME; Drive=$_.DeviceID; Path=$_.DeviceID + '\'; Identity=$ace.IdentityReference.Value; Rights=$ace.FileSystemRights.ToString(); Inheritance=$ace.InheritanceFlags.ToString(); Propagation=$ace.PropagationFlags.ToString(); IsInherited=$ace.IsInherited; RiskLevel= if($ace.FileSystemRights.ToString() -match 'FullControl|Modify|Write') {'Review'} else {'Low'} } } } } } | Tee-Object -Variable Results | Format-Table -AutoSize
$Results | Export-Csv .\authenticated-users-drive-acl-scan.csv -NoTypeInformation -Encoding UTF8
$Results | Group-Object ComputerName | Select-Object Name,Count | Export-Csv .\authenticated-users-drive-acl-summary.csv -NoTypeInformation -Encoding UTF8

Validation

• Confirm each target responds to PowerShell remoting; unreachable systems should be tracked separately rather than treated as clean.
• Spot-check 2-3 flagged servers with an interactive Get-Acl on C:\ or other flagged drive root to confirm the CSV matches live ACL data.
• Verify the output includes ComputerName, Drive, Path, Identity, Rights, and IsInherited for each finding.
• Review whether flagged entries are explicit on the drive root or inherited from an unusual parent or mount configuration.

Reporting

• Use authenticated-users-drive-acl-scan.csv as the primary evidence file attached to the security review ticket.
• Use authenticated-users-drive-acl-summary.csv to show how many findings exist per server for prioritization.
• Record unreachable hosts separately with reason codes such as WinRM unavailable, DNS failure, or access denied.
• For each flagged server, note whether the ACL is inherited or explicit and whether the drive appears to host application or user data.

Safety Notes

• This script is read-only and does not modify NTFS permissions.
• Broad permissions do not always mean immediate remediation is safe; validate application dependencies before any ACL change.
• Run during normal admin windows if scanning large fleets, because remote ACL enumeration can be slower on busy or latent systems.
• Access denied and remoting failures should be treated as coverage gaps, not negative findings.