File share permission audit

Good For

• share cleanup
• least-privilege review
• migration prep
• audit evidence
• ransomware exposure review

How to Use It

1. Start with a scoped server or share list tied to a migration, audit, or access review.
2. Capture SMB share permissions and preserve account, access type, and granted right.
3. Capture NTFS access entries for the same share path so inherited and direct permissions can be compared.
4. Flag broad groups such as Everyone, Authenticated Users, Domain Users, and legacy department groups for owner review.
5. Separate evidence gathering from remediation so inherited ACL behavior is understood before any change request.
6. Export results to CSV and attach owner decisions, exception notes, and follow-up tickets.

Execution Modes

• local
• remote-single-host
• remote-host-list

Inputs and Outputs

Inputs

• computer name
• CSV or TXT file server list
• share owner list
• approved access groups

Outputs

• verbose-console
• csv
• future-html-report

Command Starter

Safe to run: read-only

Get-SmbShare | Where-Object { $_.Special -eq $false } | Select-Object Name, Path, Description
Get-SmbShareAccess -Name "ShareName" | Select-Object Name, AccountName, AccessControlType, AccessRight
Get-Acl "\\server\share" | Select-Object -ExpandProperty Access

Validation

• Every reviewed share has SMB permission evidence and NTFS access evidence or an access-error note.
• Broad access entries are classified as approved, exception, unknown, or cleanup candidate.
• Any later permission changes include owner approval, before-state export, and a rollback plan.

Reporting

• export SMB and NTFS permission evidence to CSV
• group broad access entries by server, share, path, and owning team
• promote repeated use into a file-share exposure report

Safety Notes

• This audit is read-only and should not change share or NTFS permissions.
• Do not remove broad access until inheritance, owner approval, user impact, and rollback are documented.