topic Re: Creating a report of NTFS permissions based on a CIFS Share in Active IQ Unified Manager Discussions

Creating a report of NTFS permissions based on a CIFS Share

TBknowledge — Wed, 04 Jun 2025 12:53:52 GMT

I want to make a report which will get all DACL *Specific permission based on root CIFS shares.

* Specific permissions: Take Ownership and Change Permissions

I'm using NetApp Powershell module.

1. So, first step is to get all CIFS Shares:

Get-NcCifsShare -InformationVariable ShareName | Select Sharename

2. For each CIFS Share we need to check if there is a Group/User with DACL Permissions to Take Ownership and Change Permissions

Example:

With this NetApp CLI command I can get all DACL permissions:

vserver security file-directory show -vserver svm_server1 -path /TEST_DATA -expand-mask true

It will return very long output, but the part which I'm interesting to is:

So here we can see "Everyone" and they have: Write Owner and Write DAC permissions.

Write Owner = Change Permissions (In Windows NTFS)

DAC permissions = Write DAC(In Windows NTFS)

*************************************************************************

DACL - ACEs
ALLOW-Everyone-0x1f01ff-OI|CI
0... .... .... .... .... .... .... .... = Generic Read
.0.. .... .... .... .... .... .... .... = Generic Write
..0. .... .... .... .... .... .... .... = Generic Execute
...0 .... .... .... .... .... .... .... = Generic All
.... ...0 .... .... .... .... .... .... = System Security
.... .... ...1 .... .... .... .... .... = Synchronize
.... .... .... 1... .... .... .... .... = Write Owner
.... .... .... .1.. .... .... .... .... = Write DAC
.... .... .... ..1. .... .... .... .... = Read Control
.... .... .... ...1 .... .... .... .... = Delete
.... .... .... .... .... ...1 .... .... = Write Attributes
.... .... .... .... .... .... 1... .... = Read Attributes
.... .... .... .... .... .... .1.. .... = Delete Child
.... .... .... .... .... .... ..1. .... = Execute
.... .... .... .... .... .... ...1 .... = Write EA
.... .... .... .... .... .... .... 1... = Read EA
.... .... .... .... .... .... .... .1.. = Append
.... .... .... .... .... .... .... ..1. = Write
.... .... .... .... .... .... .... ...1 = Read

*************************************************************************

I'm not able to find a way to complete this. I do not see a way with PS NetApp toolkit to generate this.

Can you help me?

Thanks in advance!

Re: Creating a report of NTFS permissions based on a CIFS Share

GidonMarcus — Mon, 04 Feb 2019 09:58:03 GMT

sorry, the question is not clear to me. to complete what ? i see both Write Owner and Write DAC.

Re: Creating a report of NTFS permissions based on a CIFS Share

TBknowledge — Mon, 04 Feb 2019 10:12:42 GMT

Hello Gidon,

thanks for the reply.

Imagine you have 100 root CIFS Shares. Each one of them have different NTFS Permissions applied on Group and/or User level.

I want to built a report, which will display specific advanced permissions applied on Group and/or User level for each root CIFS share.

Specific advanced permissions are: "WriteOwner", "FullAccess"

I was able to generate this with Powershell from Windows side, but not able to find a way to perform this from NetApp PS Tool Kit.

Two folders in the example test: TEST1 and TEST2.

Example of the output:

<<<<<<<<<<<<< Permissions for C:\TEST1 >>>>>>>>>>>>>>>>
BUILTIN\Administrators

FullAccess
WriteOwner
--------------------------------------------------
NT AUTHORITY\SYSTEM
WriteOwner

<<<<<<<<<<<<< Permissions for C:\TEST2 >>>>>>>>>>>>>>>>
BUILTIN\Users
FullAccess
WriteOwner
--------------------------------------------------

Thanks!

Re: Creating a report of NTFS permissions based on a CIFS Share

GidonMarcus — Mon, 04 Feb 2019 11:42:08 GMT

Oh.

Sorry i missed that the output was CLI and not PS. in PS you can use the following:

$MyAcl = Get-NcCifsShare -ShareName SecurityAudit* -Controller $MyArray | select path,Vserver,NcController| Get-NcFileDirectorySecurity -ExpandMask | select -ExpandProperty acls

Had to use the select on the middle as without it the pipe appends the volume name to the path twice ....

the sad thing is that you still going to just have it as a string rather properly formatted array... so need to work on parsing the string

Re: Creating a report of NTFS permissions based on a CIFS Share

TBknowledge — Mon, 04 Feb 2019 20:08:45 GMT

Thanks so much for the help Gidon!

Output is the same as security from CLI. Only need to format data as you mentioned.

Thanks again!