Give Folder permission to user on a File Server from Domain Controller

Hi,

I want to create a script from Domain Controller that gives permission to a specific user to folders situated on a File Server.

My domain controller name is DC01, my File Server is FileServer01

I want to give access to two folders with paths:

“s:\data\project01” and “s:\data\project01\2020”

 

“s:\data” has the resource manager quota and all the subfolders.

 

I want to assign to “s:\data\project01” read/write permission to “user1”

and to"s:\data\project01\2020" just read permission to “user1”

I have create this script:

 

$cim=New-CimSession -ComputerName FileServer01

Grant-Fileshareacces -Name “2020” -AccessRight Read -AccountName “user1” -CimSession $cim

It doesn’t work because even if it is a file share server and every folders has got a share path like \FileServer01\data\project01\2020 to be able to see the folders when I run the command:

Get-smbshare -CimSession $cim

I have to go on the folder and click advanced share and tick the box.Otherwise the only folder that I can see with Get-smbshare is “s:\data”.

Anyone has any idea or examples to how to address this task?

 

Thanks

 

 

Max,

When you post code, error messages, sample data or console output format it as code, please.
In the “Text” view you can use the code tags “PRE“, in the “Visual” view you can use the format template “Preformatted“. You can go back edit your post and fix the formatting – you don’t have to create a new one.
Thanks in advance.

We need to distinguish between share permissions and filesystem permissions.

Share permissions are set on the host of the folder\share under properties > sharing tab. Grant-Fileshareaccess or Grant-SMBShareAccess are able to work with shared folders, any that you see in the output of Get-SMBShare (accept hidden admin shares, of course.) Any subfolders of that share, may or may not be shares themselves, you’ll have to look. If they are not, the user will still need read access on that share to be able to navigate through that share path to the subfolders.

Filesystem permissions are set on the host of the folder that’s shared under properties > security. The user needs to have read permissions on the folder that’s shared in order to be able to open the shared folder as well as modify to write to it. Even if they have full permissions in share permissions, they won’t be able to write without the filesystem permissions.

Change your command to point at the actual share name for user1. That will control whether they can get into that share or any children or not (granted they have the filesystem permissions)

I hope this helps.

  • From Grant-FileShareAccess -Name "2020" -AccessRight Full -AccountName "mmay" -CimSession $cim
 
-FileShareAccess : fileserver01: No MSFT_FileShare objects found with property 'Name' equal to '2020'. Verify the value of the property and retry. At C:\Users\Administrator\Documents\Untitled1.ps1:4 char:1 + Grant-FileShareAccess -Name "2020" -AccessRight Full -AccountNam ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (2020:String) [Grant-FileShareAccess], CimJobE xception + FullyQualifiedErrorId : CmdletizationQuery_NotFound_Name,Grant-FileShareAccess + PSComputerName : fileserver01
  • From Get-Smbshare -CimSession $cim
Name ScopeName Path Description PSComputerName ---- --------- ---- ----------- -------------- project01 * S:\data\project01 fileserver01 ADMIN$ * C:\Windows Remote Admin fileserver01 C$ * C:\ Default share fileserver01 IPC$ * Remote IPC fileserver01 1819 * S:\data\project01\1819 f. ileserver01 S$ * S:\ Default share fileserver01 data * S:\data fileserver01

 

1819 is the folder that I have manually shared on Propertie—>Sharing—>Advanced Sharing–>Box Share this folder. (I don’t want to do that)

At the moment I am doing this process manually right click on the folder --> share with Specific People The user that I want to add to that specific folder is there in the window than I click on share.

So your command would be

Grant-FileShareAccess -Name "1819" -AccessRight Full -AccountName "mmay" -CimSession $cim

Where are you even getting the name “2020”?

And if you don’t want to manually create the share, why not look at New-SMBShare?