PowerShell script that enumerates Windows file server shares and NTFS permissions, outputting Cypher code for graph database import (Neo4j, Memgraph, etc.).
This script connects to a Windows file server and maps the permission structure into a graph database format:
- Server nodes: The file server itself
- Share nodes: SMB/CIFS shares on the server
- Folder nodes: Top-level folders within each share
- User/Group nodes: Active Directory principals with access
- Relationships: Who has what permissions where
The output is Cypher code (Neo4j's query language) that can be imported into any graph database supporting Cypher.
Traditional permission audits give you flat lists. Graph databases let you:
- Visualize complex permission inheritance
- Query "who has access to what" across multiple servers
- Find over-permissioned accounts
- Track permission sprawl over time
- Answer questions like "show me all paths from User X to Share Y"
- PowerShell 5.1 or later
- Credentials with read access to target file server(s)
- WinRM/PowerShell Remoting enabled on target server
- Active Directory module (for user/group type detection)
Basic usage:
.\Export-FileServerPermissions.ps1 -ServerName FS01Specify output file:
.\Export-FileServerPermissions.ps1 -ServerName FS01 -OutputFile C:\temp\permissions.cypherThe script will prompt for credentials to access the target server.
- All non-hidden shares (excludes administrative shares like C$, ADMIN$)
- Share-level permissions (SMB access rights)
- NTFS permissions on top-level folders within each share
- Account type detection (User vs Group) via Active Directory
The script generates Cypher code with these node types:
Server
MERGE (server:Server {name: "FS01"})Share
MERGE (share:Share {name: "Finance", server: "FS01"})
MERGE (server)-[:HOSTS]->(share)Folder
MERGE (folder:Folder {path: "\\\\FS01\\Finance\\Budgets"})
MERGE (share)-[:CONTAINS]->(folder)User/Group Access
MERGE (user:User {samAccountName: "jsmith"})
MERGE (user)-[r:HAS_NTFS_ACCESS]->(folder)- Run the script to generate
.cypherfile - Open Neo4j Browser or use
cypher-shell - Load and execute the file:
:source /path/to/FileServerPermissions_FS01_20250211_143022.cypherOr via cypher-shell:
cat permissions.cypher | cypher-shell -u neo4j -p password- Retry logic: Handles transient file write failures with exponential backoff
- Remote execution: All ACL enumeration happens on the target server to avoid WinRM serialization issues
- Character escaping: Properly escapes backslashes and quotes for Cypher syntax
- OneDrive warning: Alerts if output path is in OneDrive (which can cause locking issues)
- Progress indicators: Shows real-time progress through shares and folders
After importing, try these Cypher queries:
Find all users with direct access to a specific share:
MATCH (u:User)-[r]->(s:Share {name: "Finance"})
RETURN u.samAccountName, type(r), r.permissionsFind over-permissioned accounts (access to 5+ shares):
MATCH (p)-[r:HAS_SHARE_ACCESS]->(s:Share)
WITH p, count(DISTINCT s) as shareCount
WHERE shareCount >= 5
RETURN p.fullName, shareCount
ORDER BY shareCount DESCVisualize all paths from a user to folders:
MATCH path = (u:User {samAccountName: "jsmith"})-[*..3]->(f:Folder)
RETURN path- Only scans top-level folders (not recursive through entire directory tree)
- Requires WinRM/PowerShell Remoting on target servers
- AD lookups may be slow for domains with many accounts
- Built-in accounts (BUILTIN\, NT AUTHORITY\) default to "Group" type
Pull requests welcome! Areas for improvement:
- Recursive folder scanning (with depth limits)
- Support for DFS namespaces
- Parallel processing for multiple servers
- CSV/JSON output options alongside Cypher
MIT License - See LICENSE file for details
Created for mapping enterprise file server permissions into graph databases for security auditing and access analysis.