-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path1-CheckPermissions.ps1
140 lines (118 loc) · 8.23 KB
/
1-CheckPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<#
Check for Shares on Source Server: The script first checks if there are any shares on the source file server. If no shares are found, it logs an error and exits.
Validate ShareRootFolder: The script checks if the $ShareRootFolder variable is null or whitespace, and if so, logs an error and exits.
Install Required Windows Features: The script checks if the required Windows features (RSAT-AD-PowerShell, RSAT-ADDS-Tools, RSAT-DNS-Server) are installed, and installs them if not.
Export SMB Shares to XML: The script exports the existing SMB shares to an XML file as a backup.
NTFS Permission Check: The script loops through each share folder and checks if the local Administrators group has access. If the local Administrators group is found and the
Domain Administrators group is not present, the script prompts the user to add the Domain Administrators group with full control permissions.
SMB Share Permission Check: The script checks if the local Administrators group has access to the SMB share. If the local Administrators group is found, the script prompts the user to remove the local Administrators group and add the Domain Administrators group with full access.
Key Considerations:
Error Handling: The script includes error handling to log any issues that occur during the process.
Backup and Restore: The script creates a backup of the existing SMB shares in an XML file, which can be used to recreate the shares later if needed.
User Interaction: The script prompts the user for input when it finds local Administrators group permissions, allowing the user to decide whether to fix the permissions or not.
Logging: The script uses a Write-Log function to log various informational and error messages, which can be useful for troubleshooting and record-keeping.
Prerequisites: The script requires the installation of certain Windows features (RSAT-AD-PowerShell, RSAT-ADDS-Tools, RSAT-DNS-Server) to function properly.
#>
#########################################################################
# If no shares found on source server exit out.
$ShareFolder = Get-SmbShare -Special $false | Where-Object { $_.Name -cnotmatch '^(ADMIN|IPC|PRINT|[A-Z])\$' }
if (($ShareFolder -eq $null) -or ($ShareFolder.Count -eq 0)) {
Write-Log -Level ERROR -Message "The system found 0 shares on source file server, mandatory ShareFolder parameter should not be null or empty."
exit 1
}
# Check ShareRoot for null or white space and exit if true
if ([string]::IsNullOrWhiteSpace($ShareRootFolder)) {
Write-Log -Level ERROR -Message "No Source ShareRoot folder specified, please run MigrationParameters.ps1 again"
Write-Output "No Source ShareRoot folder specified, please run MigrationParameters.ps1 again"
exit 1
}
# Install AD module for PowerShell and DNS as per the prerequisites
$RSAT = Get-WindowsFeature -Name RSAT-AD-PowerShell, RSAT-ADDS-Tools, RSAT-DNS-Server
if (-not $RSAT.Installed) {
Install-WindowsFeature RSAT-AD-PowerShell, RSAT-ADDS-Tools, RSAT-DNS-Server
}
# Output share info to XML as a backup and to recreate shares later
if (Test-Path $LogLocation\SmbShares.xml) {
$Now = (Get-Date).ToString("MMddyyhhmmss")
Rename-Item -Path $LogLocation\SmbShares.xml -NewName "$Now-oldSmbShares.xml"
}
# Export source file server shares to XML
try {
$ShareFolder | Export-Clixml -Path $LogLocation\SmbShares.xml
}
catch {
Write-Log -Level ERROR -Message "Error exporting SMB shares to XML: $($_.Exception.Message)"
Write-Output "Error exporting SMB shares to XML: $($_.Exception.Message)"
exit 1
}
# NTFS PERMISSION CHECK: Get ACLs on each share folder and stop if local admin group is found
foreach ($share in $ShareFolder) {
Write-Output "Checking $($share.Path)"
Write-Log -Level INFO -Message "Checking $($share.Path)"
# Get the current folder NTFS permissions
$GetAccess = (Get-ACL -Path $share.path).Access
# Check if local administrators group exists on folder permissions
if ($GetAccess.IdentityReference -contains "BUILTIN\Administrators") {
# Check if DomainAdminGroup also exists
if ($GetAccess.IdentityReference -contains "$NetBIOS\$DomainAdminGroup") {
Write-Output "Local Admin Group and $DomainAdminGroup both found on $($share.Path). No need to modify permissions."
Write-Log -Level INFO -Message "Local Admin Group and $DomainAdminGroup both found on $($share.Path). No need to modify permissions."
}
else {
Write-Host "ERROR: Found local admin group on $($share.Path) please modify permissions to use domain group as local groups will not have access on FSx" -ForeGroundColor Red
Write-Log -Level ERROR -Message "Found local admin group on $($share.Path) please modify permissions to use domain group as local groups will not have access on FSx"
Write-Host $($GetAccess.IdentityReference) -ForeGroundColor Green
Write-Log -Level ERROR -Message "$($GetAccess.IdentityReference)"
# Ask customer if they would like to add the correct NTFS permissions to the folder.
$FixPermissions = Read-Host -Prompt 'Would you like to ADD NTFS domain group permission? Insert Yes or No?'
if ($FixPermissions -cmatch "^(?i)y(?:es)?$") {
$ACLPath = "$($share.Path)"
$Identity = $DomainAdminGroup
$FileSystemRight = "FullControl"
$Propagation = "0" # 0 None Specifies that no inheritance flags are set.
$inheritance = "3" # 3 The ACE is inherited by child container objects.
$RuleType = "Allow"
Try {
$ACL = Get-Acl -Path $ACLPath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Identity, $FileSystemRight, $inheritance, $Propagation, $RuleType)
$ACL.SetAccessRule($AccessRule)
$ACL | Set-Acl -Path $ACLPath
Write-Host "The domain group $DomainAdminGroup has been added to $ACLPath" -ForegroundColor Green
}
Catch {
$ErrorMsg = $_.Exception.Message
Write-Log -Level ERROR -Message "Set folder permissions error: $ErrorMsg"
Write-Host "Set folder permissions error: $ErrorMsg" -ForeGroundColor Red
}
}
else {
Write-Host "Please ensure that you have at least one DOMAIN Group with NTFS permissions added to share folders!" -ForeGroundColor Red
}
}
}
else {
Write-Output "Local Admin Group check passed! You can proceed to use AWS DataSync or Robocopy to migrate data to FSx"
Write-Log -Level INFO -Message "Local Admin Group check passed! You can proceed to use AWS DataSync or Robocopy to migrate data to FSx"
}
# Get the current share permissions
$SharePermissions = (Get-SmbShareAccess -Name $share.Name)
# SHARE PERMISSION CHECK - is the local administrators group on the share
$IsAdminGroupPresent = $SharePermissions | Where-Object { $_.AccountName -eq "$LocalAdminGroup" }
if ($IsAdminGroupPresent) {
# Ask customer if they would like to add the correct SMB share permissions to the folder.
$FixSMBPermissions = Read-Host -Prompt 'Would you like to script to remove local admin permissions and add domain group permission on SMB share? Insert Yes or No?'
if ($FixSMBPermissions -cmatch "^(?i)y(?:es)?$") {
# Remove the local administrators group from the share permissions
Revoke-SmbShareAccess -Name "$($share.Name)" -AccountName "$LocalAdminGroup"
# Add the domain administrators group to the share permissions
Grant-SmbShareAccess -Name "$($share.Name)" -AccountName $DomainAdminGroup -AccessRight Full
# Write to log
Write-Log -Level INFO -Message "The local administrators group has been replaced with the domain administrators group in the share permissions."
Write-Output "The $DomainAdminGroup group has been added to the share permissions."
}
else {
Write-Output "Please remove local admin group from SMB permission manually to continue"
Write-Log -Level ERROR -Message "Please remove local admin group from SMB permission manually to continue"
}
}
}