Manage Share Permissions

Hi All,

I have about 500 OS 2003, 2008, and 2012 servers in my network.
I need to manage “Share Permissions” of shared folders on these servers using powershell. Please note that I want to manage “Share Permissions” that are set under shared folder properties’ “Sharing” tab, not NTFS permissions that are set under “Security” tab.

I need to either remove “domainA\user1” or swap it with “domainB\user1” with same permissions that “domainA\user1” had. So far I found this link but the WMI portion of this manages NTFS permissions, not share permissions.

So, I used this script from MSFT to log all the shared folders and their share permissions, and transferred them manually to a CSV file.

Therefore, I will simply read the CSV for Server name, share name, and permissions.
Can someone please help me how I can:

  1. Remove a user/group from share permissions
  2. Swap user/group with second domain with same share permissions. (I am guessing this step will be two fold, remove and then add)

All this should be compatible with OS 2003, 2008, and 2012 (I am guessing this will be done with WMI)

Thanks in advance

There are some new (in 2016) and newish (in 2012) cmdlets for managing share permissions (Get-Command share) but these probably won’t work on the older operating systems.

Get-Acl and Set-Acl should work with all OS versions and should be suitable for this task:

#Remove an access control entry:

$acl = Get-Acl testShare

foreach ($access in $acl.Access) {

    if ($access.IdentityReference -eq 'DOMAIN\user1') {

        $acl.RemoveAccessRule($access) | Out-Null

    Set-Acl testShare -AclObject $acl


#Add a new access control entry:

$acl = Get-Acl testShare

$newRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule('DOMAIN\user2','Read','ContainerInherit,ObjectInherit','None','Allow')


Set-Acl testShare -AclObject $acl

I used this cmdlet from the PSGallery to get a list of permission. I found it was really useful in setting permission across the board as well as you can always check permission and export it to an CSV File.

These are rough scripts I made to set permission then send off an email with the reports of the current perms.

$myArray = @('List of Paths'
   foreach($path in $myArray){$Test = Test-Path $path
     if($Test -eq $true){Get-NTFSAccess -Path $path -Account 'domainA\user1' -ExcludeInherited | Select-Object -Property FullName,Account,AccessRights | Format-Table -AutoSize}


     if($Test -eq $true){Add-NTFSAccess -Path $path -Account 'domainB\user1' -AccessRights FullControl -PassThru -Verbose}   
   #    Write-Host 'Sleep for 3 seconds'
   #    Start-Sleep -Seconds 3 

  #Reporting Part   

 #Get-NTFSAccess -Path $path -ExcludeInherited | Select-Object -Property Account,AccessRights   | Export-Csv -Path 'C:\Users\%username%\Desktop\ACERights.csv' -Append -NoTypeInformation
   #Send you an email with list
   #send-mailmessage -to -From  -Subject 'ACE permission' -BodyAsHTML $Body -SMTPServer 'YourSMTPServer' -Attachments 'C:\Users\%username%\Desktop\ACERights.csv'


Matt, thanks for the details and code. I tried your code. Unfortunately, Get-ACL and Set-ACL are defaulting to NTFS permissions on the shared folder (“Security” tab of shared folder). I am dealing with the situation where I need to manage “Share” permissions in the “Share” tab of folder properties :-/

Jeff, Thanks for the details. Looks like this is also dealing with NTFS permissions of the shared folder, not the “Share” permissions.

I may be missing something very basic here. May be I am not understanding the full capabilities of Get-ACL where it can also manage “Share” permissions; beyond NTFS permissions. But my current understanding is that it only deals with NTFS rights.

You’re quite right. Sorry, I overlooked that the share name was being resolved to the NTFS path and it was picking up the NTFS permissions.

I don’t think this is as straightforward as I first thought. Granting access to a share permission from the command line is pretty easy, you can use net share /grant in a PowerShell script but revoking access is harder. I’m really struggling with the Win32_LogicalShareSecuritySetting class which is what I think you’ll need to use.

I suspect the simplest route might be a 3rd party tool like setacl.exe

while i’m not changing the permissions in my project, i do have a reporting function for shares configured on a server, hopefully it gives you a bit of a lead

Get-WmiObject -ComputerName $computer -Class Win32_Share | Out-GridView