Manage Share Permissions

asimvirtual · November 26, 2016, 3:27pm

Hi All,

I have about 500 OS 2003, 2008, and 2012 servers in my network.
I need to manage “Share Permissions” of shared folders on these servers using powershell. Please note that I want to manage “Share Permissions” that are set under shared folder properties’ “Sharing” tab, not NTFS permissions that are set under “Security” tab.

I need to either remove “domainA\user1” or swap it with “domainB\user1” with same permissions that “domainA\user1” had. So far I found this link but the WMI portion of this manages NTFS permissions, not share permissions.

So, I used this script from MSFT to log all the shared folders and their share permissions, and transferred them manually to a CSV file.
https://gallery.technet.microsoft.com/scriptcenter/List-Share-Permissions-83f8c419

Therefore, I will simply read the CSV for Server name, share name, and permissions.
Can someone please help me how I can:

Remove a user/group from share permissions
Swap user/group with second domain with same share permissions. (I am guessing this step will be two fold, remove and then add)

All this should be compatible with OS 2003, 2008, and 2012 (I am guessing this will be done with WMI)

Thanks in advance

matt-bloomfield · November 28, 2016, 8:12am

There are some new (in 2016) and newish (in 2012) cmdlets for managing share permissions (Get-Command share) but these probably won’t work on the older operating systems.

Get-Acl and Set-Acl should work with all OS versions and should be suitable for this task:

#Remove an access control entry:

$acl = Get-Acl testShare

foreach ($access in $acl.Access) {

    if ($access.IdentityReference -eq 'DOMAIN\user1') {

        $acl.RemoveAccessRule($access) | Out-Null
    }

    Set-Acl testShare -AclObject $acl

}


#Add a new access control entry:

$acl = Get-Acl testShare

$newRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule('DOMAIN\user2','Read','ContainerInherit,ObjectInherit','None','Allow')

$acl.SetAccessRule($newRule)

Set-Acl testShare -AclObject $acl

jefferyhayes · November 28, 2016, 10:08am

I used this cmdlet from the PSGallery to get a list of permission. I found it was really useful in setting permission across the board as well as you can always check permission and export it to an CSV File.

These are rough scripts I made to set permission then send off an email with the reports of the current perms.

$myArray = @('List of Paths'
'Path2'
'Path3'
)
   
   foreach($path in $myArray){$Test = Test-Path $path
   
     if($Test -eq $true){Get-NTFSAccess -Path $path -Account 'domainA\user1' -ExcludeInherited | Select-Object -Property FullName,Account,AccessRights | Format-Table -AutoSize}

   }

     if($Test -eq $true){Add-NTFSAccess -Path $path -Account 'domainB\user1' -AccessRights FullControl -PassThru -Verbose}   
   #  
   #    Write-Host 'Sleep for 3 seconds'
   #    Start-Sleep -Seconds 3 

  #Reporting Part   

 #Get-NTFSAccess -Path $path -ExcludeInherited | Select-Object -Property Account,AccessRights   | Export-Csv -Path 'C:\Users\%username%\Desktop\ACERights.csv' -Append -NoTypeInformation
   
   #Send you an email with list
   #send-mailmessage -to Myself@Email.com -From Myself@Email.com  -Subject 'ACE permission' -BodyAsHTML $Body -SMTPServer 'YourSMTPServer' -Attachments 'C:\Users\%username%\Desktop\ACERights.csv'

asimvirtual · November 28, 2016, 12:01pm

Matt, thanks for the details and code. I tried your code. Unfortunately, Get-ACL and Set-ACL are defaulting to NTFS permissions on the shared folder (“Security” tab of shared folder). I am dealing with the situation where I need to manage “Share” permissions in the “Share” tab of folder properties :-/

asimvirtual · November 28, 2016, 12:02pm

Jeff, Thanks for the details. Looks like this is also dealing with NTFS permissions of the shared folder, not the “Share” permissions.

asimvirtual · November 28, 2016, 12:12pm

I may be missing something very basic here. May be I am not understanding the full capabilities of Get-ACL where it can also manage “Share” permissions; beyond NTFS permissions. But my current understanding is that it only deals with NTFS rights.

matt-bloomfield · November 28, 2016, 2:23pm

You’re quite right. Sorry, I overlooked that the share name was being resolved to the NTFS path and it was picking up the NTFS permissions.

I don’t think this is as straightforward as I first thought. Granting access to a share permission from the command line is pretty easy, you can use net share /grant in a PowerShell script but revoking access is harder. I’m really struggling with the Win32_LogicalShareSecuritySetting class which is what I think you’ll need to use.

I suspect the simplest route might be a 3rd party tool like setacl.exe

david-schmidtberger · November 28, 2016, 3:11pm

while i’m not changing the permissions in my project, i do have a reporting function for shares configured on a server, hopefully it gives you a bit of a lead

Get-WmiObject -ComputerName $computer -Class Win32_Share | Out-GridView

Topic		Replies	Views
Regarding Shared folder creation PowerShell Help	4	159	September 23, 2016
Need help on permission on AdvanceSharing PowerShell Help	3	124	March 10, 2016
Resetting permissions on share folders (i.e. Roaming Profiles) PowerShell Help	3	138	August 4, 2015
Help with Get-ACL PowerShell Help	4	128	June 3, 2016
Set file permissions on a share for specific file types PowerShell Help	8	217	May 25, 2018

Manage Share Permissions

Related Topics