Tech Line

Auditing Locally Shared Folders

Here’s a script that enumerates all shared folders on all computers in your domain.

• By Chris Wolf
• 12/05/2006

Good question, Chris. Keeping tracking of shared folders across your domain is an important consideration. While GUI tools like GFI LANguard offer this feature, I can see how a script would be useful.

Using the same context as my local administrator group enumeration script, I wrote the following script to solve your problem:

'shareaudit.vbs
On Error Resume Next
Const ForWriting = 2
' Format date/time stamp for output file
strTimeDate = Year(Date) & "-" & Month(Date) & _
  "-" & Day(Date) & "~~" & Hour(Time) & "-" & _
   Minute(Time)
' Output file name and path
strLogFile = "C:\ShareAudit-" & strTimeDate & _
   ".txt"

'Create Log File
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile (strLogFile, _
   ForWriting, True)

' Connect to domain and collect computer accounts
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = _
  "SELECT Name, Location FROM 'LDAP://" & _
  objRootDSE.Get("defaultNamingContext") & "'" _
  & "WHERE objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

' Output domain computer accounts, connect to each ' computer, and enumerate shares and permissions
Do Until objRecordSet.EOF
  strComputer = objRecordSet.Fields("Name").Value
  objFile.WriteLine "System: " & strComputer
' connect to computer
Set objWMIsvc = GetObject("winmgmts:\\" & _
   strComputer & "\root\cimv2")
  If Err <> 0 Then
   objFile.Writeline("*** System Unreachable ***")
   Err.Clear
  Else
   ' enumerate shares
   Set colShares = objWMIsvc.ExecQuery _
   ("SELECT * FROM Win32_Share")

' display ACE
   For Each objShare In colShares
   objFile.WriteLine "Share Name:" & objShare.Name
   objFile.WriteLine " Path: " & objShare.Path
   Set wmiShareSec = objWMIsvc.Get _
   ("Win32_LogicalShareSecuritySetting.Name='" &_
   objShare.Name & "'")
   RetVal = wmiShareSec._
   GetSecurityDescriptor(wmiSecurityDescriptor)
   DACL = wmiSecurityDescriptor.DACL
   For Each wmiACE In DACL
   Set Trustee = wmiACE.trustee
   objFile.Writeline(" Account: " & _
   Trustee.Domain & "\" & Trustee.Name)
   Set ACEType = wmiACE.AceType
   Select Case int(wmiACE.AceType)
   Case 0 PermType = "Allow"
   Case 1 PermType = "Deny"
   End Select
   objFile.Writeline(" Permission Type: " & _
   PermType)
   Select Case Int(wmiACE.AccessMask)
   Case 1179817 SharePerm = "Read"
   Case 1245631 SharePerm = "Change"
   Case 2032127 SharePerm = "Full Control"
   Case Else SharePerm = "Access Mask " & _    wmiACE.AccessMask
   End Select
   objFile.Writeline(" Assigned Permission: " & _
   SharePerm)
   objFile.Writeline()
   Next
   Next
  End If
  objRecordSet.MoveNext
  objfile.writeline("-------------------------------")
  objfile.writeline()
Loop
' All done!
WScript.Echo("Audit Complete!")

This script will collect a list of each domain computer and then attempt to connect to each computer in the domain. Once the connection is established all hidden and non-hidden shares will be written to the text file whose name and format is specified by strLogFile variable. The output will be a log file on the C drive by default. Here is a sample of the file contents from a system in my lab:

System: DC1
Share Name:Records
   Path: c:\records
   Account: BUILTIN\Administrators
   Permission Type: Allow
   Assigned Permission: Full Control

Share Name:C$
   Path: C:\
   Account: BUILTIN\Administrators
   Permission Type: Allow
   Assigned Permission: Full Control

Share Name:Public
   Path: C:\Public
   Account: MCP\cbeltran
   Permission Type: Deny
   Assigned Permission: Read

Account: MCP\dmcnabb
   Permission Type: Deny
   Assigned Permission: Change

Account: MCP\dwright
   Permission Type: Deny
   Assigned Permission: Full Control

Account: MCP\Accounting
   Permission Type: Allow
   Assigned Permission: Read

Account: BUILTIN\Administrators
   Permission Type: Allow
   Assigned Permission: Full Control

-------------------------------

System: RS1
*** System Unreachable ***
-------------------------------

When run without any modifications, the script will create a log file that includes the date and time in which the script was run. For example, you may see an output file named ShareAudit-2006-12-5~~12-52.txt. Note that the time is included after the consecutive tildes. Once the script completes, it will notify you with an "Audit Complete!" pop-up message. Since you would probably want to know when a system is unreachable (such as if it is turned off when the script is run), I have the script include the line "*** System Unreachable ***" for any system that the script could not establish a connection with. Note that for connecting to and auditing Windows XP SP2 systems, you will need to ensure that the XP firewall is configured to allow remote management. Steps for troubleshooting XP SP2-related issues with WMI can be found in the Microsoft Support Article, "How to Troubleshoot WMI-related Issues in Windows XP SP2."

Auditing shares and assigned share permissions is an important part of network administration. Since some of the command line tools out there only show you the non-hidden shares, having a script that can show you all shares on every system can be quite handy. I hope this script will make your job a little easier.