Powershell File Sharing Permissions Report

Often I am asked to verify folder permissions for a user in a specific place out on one of our servers. Typically this requires browsing out the folder and putting eyes on the permissions dialog box looking for a group on which the user is a member and then documenting it in the ticket. A very painful long boring process. This is where Powershell comes and saves the day. I wrote a very simple script to bring that information to me. It also gives nice output that I can directly copy into tickets to answer what groups has rights to what shares.

This prompts the user to “Enter a UNC Path” once entered goes and grabs the NTFS permissions as well as the SMB Share permissions

Powershell Code

Write-Host

$path = Read-host “Enter a UNC Path: ”
$pathparts = $path.split("\")
$ComputerName = $pathparts[2]
$ShareName = $pathparts[3]

Write-Host "File Sharing Permissions Report - $path"
Write-Host 

$acl = Get-Acl $path

Write-Host "File/NTFS Permissions"
Write-Host 

foreach($accessRule in $acl.Access)
{
    Write-Host "   " $accessRule.IdentityReference $accessRule.FileSystemRights
}
Write-Host 
Write-Host "Share/SMB Permissions"
Write-Host

    $Share = Get-WmiObject win32_LogicalShareSecuritySetting -Filter "name='$ShareName'" -ComputerName $ComputerName
    if($Share){
        $obj = @()
        $ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
        foreach($ACL in $ACLS){
            $User = $ACL.Trustee.Name
            if(!($user)){$user = $ACL.Trustee.SID}
            $Domain = $ACL.Trustee.Domain
            switch($ACL.AccessMask)
            {
                2032127 {$Perm = "Full Control"}
                1245631 {$Perm = "Change"}
                1179817 {$Perm = "Read"}
            }
            Write-Host "   $Domain\$user  $Perm"
        }
    }
Write-Host

Example Output

.\Get-Permissions-NTFS-SMB.ps1

Enter a UNC Path: : \\filesrv\Working Groups
File Sharing Permissions Report - \\filesrv\Working Groups

File/NTFS Permissions

    BUILTIN\Administrators FullControl
    DOMAIN\Domain Admins FullControl
    DOMAIN\Domain Users ReadAndExecute, Synchronize
    DOMAIN\Folder - File Server Admins FullControl

Share/SMB Permissions

   DOMAIN\Domain Admins  Full Control
   DOMAIN\Domain Users  Full Control

Read More

How to Enable Backup Compression for Microsoft SQL Server

I recently attended a SQL 2012 training class, and one of the coolest features that was discussed during the class was the built-in backup compression. This feature became available in SQL 2008 R2. Most people recommend it be turned on as it saves on Disk I/O , Disk Storage and backup time at the expense of some CPU and Memory usage during the backup. The best part it is it is a simple check box either at the database level or server level to enable.

I’m glad they added this feature, it has always bothered me that backing up basically text data took up so much space.

Enable Compression of Database Backups

  1. In Object Explorer, right-click a server and select Properties.
  2. Click the Database settings node.
  3. Under Backup and restore, Compress backup shows the current setting of the backup compression default option. This setting determines the server-level default for compressing backups, as follows:
    • If the Compress backup box is blank, new backups are uncompressed by default.
    • If the Compress backup box is checked, new backups are compressed by default.

Enable-SQL-Backup-Compression-SQL2008R2

Source: Microsoft TechNet: View or Configure the backup compression default Server Configuration Option

Read More

How to Force SSL for IIS6 and IIS7

Security is always important in our industry especially here at the university where I work. Recently we have been setting up SSL for a lot more of our basic sites so I found two good ways to do this depending on whether the host was IIS 6 or IIS 7. I’m assuming you have SSL up and working on the website, if you don’t there are many tutorials that show how to do this, some of the most helpful ones are provided by the SSL vendor’s documentation.

IIS 6 Force SSL

Theory: IIS does have the option to force SSL however when the non-SSL site is visited it will display a 403.4 error. Using a custom error page you can have the client redirect to the SSL site which does work. This uses client side redirection, you can do this both for IIS 6 or 7 but there are server side redirects that are possible in IIS 7 which are faster and preferred.

Setup: Create Javascript SSL Redirect Page

Create the “redirectSSL.html” document in “C:\Inetpub\”

<!-- beginning of redirectSSL.html file -->
<script type="text/javascript">
function redirectToHttps()
{
var httpURL = window.location.hostname+window.location.pathname;
var httpsURL = "https://" + httpURL ;
window.location = httpsURL ;
}
redirectToHttps();
</script>
<!-- end of redirectSSL.html file -->

Assign Permissions
Right click on the file and select “Properties” then go to the “Security” tab.

Add your Internet Guest Account to have read and execute permissions on this file. The name of the account is structured as “<computer name>\IUSR_<computer name>”. This allows you website users the ability to read this file and get the redirection.

Force SSL
Right Click on your website and select “Properties”, then go to the “Directory Security” tab. Under the “Secure communications” click on the “Edit…” button.
Secure-Com-Edit-IIS6

Check “Require secure channel(SSL)” and “Require 128-bit encryption” and press “OK” at the bottom.
Secure-Com-Edit-IIS6

Setup Custom Error Client Redirection

Select the “Custom Errors” tab and click on the “403;4” HTTP Error item and click “Edit..” at the bottom.

Custom-Error-Edit-IIS6

Select “File” from the Message type dropdown and enter “C:\Inetpub\redirectSSL.html” in the File field and press OK.

Edit-Custom-Error-403-4-File-IIS6

Done!

IIS 7 Force SSL

Thankfully IIS7 is much better and easier to configure.

Theory: IIS7 has server side redirection as a module and we will be adding some custom website configuration to redirect all http traffic to the https site. This is faster than the client redirection as it doesn’t require the client to get two webpages to get to the SSL site.

Prerequisites: This requires the Microsoft URL Rewrite Module be installed on the server.

Method 1 – Use IIS Manager GUI

In IIS Manager, Click on your website and Select “URL Rewrite” from the Features View.

Next Click “Add Rules(s)…” from the Action Pane on the Right.

Setup the rule as shown in the following image:

Edit-Inbound-Rule-IIS7

Method 2 – Configure web.config File

Browse to the root of your website and open the web.config file and edit it to match the following:

<configuration>
   <system.webServer>
      <rewrite>
         <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
            <match url="(.*)" />
             <conditions>
             <add input="{HTTPS}" pattern="off" ignoreCase="true" />
             </conditions>
             <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
            </rule>
          </rules>
       </rewrite>
   </system.webServer>
</configuration>

Both of these methods do the exact same thing.

Done!

Read More

Keeping Windows Time Synchronized

Over the years I have managed a few applications that are time sensitive in recording when certain things were logged. This has caused issues when some computers update time and some get behind. Users have trouble understanding why they did something at one time but it was recorded as another. I did find a few commands that can help remedy this problem.

To check Windows Time Service configuration.

w32tm /query /configuration

To configure a standalone server or domain controller for an external time source.

w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8" /syncfromflags:MANUAL

To force update to time source.

w32tm /resync

Source: WindowsTimeService < Support < NTP.
Source: Microsoft Technet: Windows Time Service Tools and Settings

Read More

How to determine the version of your Windows ISO file

After a lot of googling this morning I was able to find out how to determine the version of the Windows ISO file. This was important to me because I needed to know if the ISO I had included SP1 or not. This should work for Vista and up, basically any windows that has WIM files within.

First you will need to mount the ISO file to a computer so you can browse it. Then open up a command prompt as administrator and run the following command.

dism /Get-WimInfo /WimFile:E:\sources\install.wim /index:1

(E is the drive letter for the mounted ISO file)

Here is an example of the output from the command for a Windows 7 Enterprise ISO without any service packs.

C:\WINDOWS\system32>dism /Get-WimInfo /WimFile:E:\sources\install.wim /index:1

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Details for image : E:\sources\install.wim

Index : 1
Name : Windows 7 ENTERPRISE
Description : Windows 7 ENTERPRISE
Size : 11,912,905,130 bytes
Architecture : x64
Hal : acpiapic
Version : 6.1.7600
ServicePack Build : 16385
ServicePack Level : 0
Edition : Enterprise
Installation : Client
ProductType : WinNT
ProductSuite : Terminal Server
System Root : WINDOWS
Directories : 13629
Files : 64547
Created : 7/14/2009 - 12:49:53 AM
Modified : 7/14/2009 - 2:43:28 AM
Languages :
        en-US (Default)

The operation completed successfully.

C:\WINDOWS\system32>

Source: Version number of Windows 7 from its image (iso,..) – Super User.

Read More