Ever wonder how many users grant full control to Everyone on shares they created? This opens a huge risk, as any virus/worm can write itself to these shares, given the NTFS permissions allow them as well. At any rate, I don’t think it’s a good idea, so I scripted it out and found something like 470 shares where Everyone was granted FullControl access in my environment. OUCH!

Keep in mind, this also shows printers. I didn’t take the time to exclude them, so my script actually finds ~620 vulnerable shares.

For logging, just change $script:logfile = "D:\everyoneshares.txt" to whatever location you wish.

If you want to see more than just Full Control, change if (($AccessMask -eq "FullControl") -AND ($myshare.ID -eq "Everyone")){$script:mylist += $myshare} to match your desired output.

It also ignores any share that ends with a $ (administrative or hidden shares), change $shares = gwmi Win32_LogicalShareSecuritySetting -co $comp -erroraction silentlycontinue |? {$_.Name -notlike "*$"} to $shares = gwmi Win32_LogicalShareSecuritySetting -co $comp -erroraction silentlycontinue and it will look at ALL shares.

Now here’s the code:

#OU Locations, make sure the index is in order, 1, 2, 3, etc.
#you cannot have 3 without 2, etc.
$ous = @{}
$ous[1] = 'LDAP://OU=Servers,DC=domain,DC=com'
$ous[2] = 'LDAP://OU=Another OU,DC=domain,DC=com'
$ous[3] = 'LDAP://OU=Domain Controllers,DC=domain,DC=com'

#set logfile directory
$script:logfile = "D:\everyoneshares.txt"

#This pulls all computer accounts from AD
function getresults($path,$cert) {
	$objDomain = New-Object System.DirectoryServices.DirectoryEntry
	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
	$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry($path)
	$objSearcher.PageSize = 1000 # How many to retrieve at a time. Not output size.
	$objSearcher.Filter = $strFilter
	$objSearcher.PropertiesToLoad.Add("cn") >$null

	$colResults = $objSearcher.FindAll()
	foreach ($objResult in $colResults)
	  $objItem = $objResult.Properties
	  $computer =  $objItem.cn[0]
	  $computer = $objItem.cn
	  $script:comps += $computer

#This runs the getresults function for each OU supplied above
$script:comps = @()

foreach ($ou in 1 .. $ous.Count) {
		if ($ous.$ou) {
			$strFilter = "(&(objectClass=Computer))"
			getresults $ous.$ou

$comps = $script:comps | Sort name
$script:mylist = @()
write-host `n
foreach ($comp in $comps) {#1

#here's where we actually pull each share from the current computer
    $shares = gwmi Win32_LogicalShareSecuritySetting -co $comp -erroraction silentlycontinue |? {$_.Name -notlike "*$"} 
    foreach ($share in $shares){#3
        $SecurityDescriptor = $Share.GetSecurityDescriptor()
		ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
			$myshare = "" | Select Server, Share, ID, AccessMask
            $myshare.Server = $comp
            $myshare.Share = $share.name
			$myshare.ID = $DACL.Trustee.Name
			Switch ($DACL.AccessMask)
				2032127 {$AccessMask = "FullControl"}
				1179785 {$AccessMask = "Read"}
				1180063 {$AccessMask = "Read, Write"}
				1179817 {$AccessMask = "ReadAndExecute"}
				-1610612736 {$AccessMask = "ReadAndExecuteExtended"}
				1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
				1180095 {$AccessMask = "ReadAndExecute, Write"}
				268435456 {$AccessMask = "FullControl (Sub Only)"}
				default {$AccessMask = $DACL.AccessMask}
			$myshare.AccessMask = $AccessMask
            if (($AccessMask -eq "FullControl") -AND ($myshare.ID -eq "Everyone")){$script:mylist += $myshare}
			Clear-Variable AccessMask -ErrorAction SilentlyContinue
$mylist | out-file $script:logfile
$count = $mylist.count
write-output `n "found $count shares where Everyone was given FullControl" | out-file $script:logfile -append
write-host `n

I pieced this together from a few things I found on the net (querying AD and Shares), then combined the two and added logfile output.

I recommend using Start-Job for this, and get-job to see if it’s finished. You don’t need to provide any input, and depending on your environment size, it could take quite some time. Here’s the expected output:

Server                                       Share                                        ID                                           AccessMask                                  
------                                       -----                                        --                                           ----------                                  
Server-1                                     Share-1                                      Everyone                                     FullControl                                 

found 1 shares where Everyone was given FullControl