Need to edit the Everyone permission on a share

Hello all,

I am VERY new to power shell and scripting in general. I have been given the task to edit the Everyone permission on several remote servers, we are in the process of decommissioning. The OS on these servers is Server 2003, and the power shell version is 2.0.

I have been able to find several scripts that will create a share for me, and mark everyone as read only, below is the one I have been using:

$Computer = “Computer”
$Class = “Win32_Share”
$Method = “Create”
$name = “Temp”
$path = “C:\temp”
$description = “This is shared for me to test”
$sd = ([WMIClass] “\$Computer\root\cimv2:Win32_SecurityDescriptor”).CreateInstance()
$ACE = ([WMIClass] “\$Computer\root\cimv2:Win32_ACE”).CreateInstance()
$Trustee = ([WMIClass] “\$Computer\root\cimv2:Win32_Trustee”).CreateInstance()
$Trustee.Name = “EVERYONE”
$Trustee.Domain = $Null
$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
$ace.AccessMask = 1179817
$ace.AceFlags = 3
$ace.AceType = 0
$ACE.Trustee = $Trustee
$sd.DACL += $ACE.psObject.baseobject
$mc = [WmiClass]“\$Computer\ROOT\CIMV2:$Class”
$InParams = $mc.psbase.GetMethodParameters($Method)
$InParams.Access = $sd
$InParams.Description = $description
$InParams.MaximumAllowed = $Null
$InParams.Name = $name
$InParams.Password = $Null
$InParams.Path = $path
$InParams.Type = [uint32]0
$R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
switch ($($R.ReturnValue))
{
0 {Write-Host “Share:$name Path:$path Result:Success”; break}
2 {Write-Host “Share:$name Path:$path Result:Access Denied” -foregroundcolor red -backgroundcolor yellow;break}
8 {Write-Host “Share:$name Path:$path Result:Unknown Failure” -foregroundcolor red -backgroundcolor yellow;break}
9 {Write-Host “Share:$name Path:$path Result:Invalid Name” -foregroundcolor red -backgroundcolor yellow;break}
10 {Write-Host “Share:$name Path:$path Result:Invalid Level” -foregroundcolor red -backgroundcolor yellow;break}
21 {Write-Host “Share:$name Path:$path Result:Invalid Parameter” -foregroundcolor red -backgroundcolor yellow;break}
22 {Write-Host “Share:$name Path:$path Result:Duplicate Share” -foregroundcolor red -backgroundcolor yellow;break}
23 {Write-Host “Share:$name Path:$path Result:Reedirected Path” -foregroundcolor red -backgroundcolor yellow;break}
24 {Write-Host “Share:$name Path:$path Result:Unknown Device or Directory” -foregroundcolor red -backgroundcolor yellow;break}
25 {Write-Host “Share:$name Path:$path Result:Network Name Not Found” -foregroundcolor red -backgroundcolor yellow;break}
default {Write-Host “Share:$name Path:$path Result:*** Unknown Error ***” -foregroundcolor red -backgroundcolor yellow;break}
}

If I run it on a server that already has a share on it, the script errors our saying the share is a duplicate, error 22. I just really need to edit the share, not try to create an additional one.

Can anyone out there get me in the right direction?

Thanks.

That’s because you’re using CreateInstance() to create a new share. Prior to doing so, you should check to see if the share already exists, and if it does, obtain a reference to the existing instance rather than trying to create a new one.

So it looks like this would work for doing that?

$share = Get-WMIObject -Class Win32_Share -Computer ‘COMPUTERNAME’ -Filter “Name=‘Temp’”
if($share) {
write-host “Share exists”
}
else {
write-host “Share not found”
}

But where would I add that to make it just change the share permissions instead of creating a share?

Sorry I need to be spoon fed this, but I am VERY new to it and do appreciate the help!

Steve take a look at this post Powershell – WMI: Working with Shares – Part 1: Creating a Share with Custom Permissions – CTGlobal

There are a couple of versions of a script to create new shares and set permissions but there is an update by Chris Smith (fair warning it is down in the comments a bit)

#Start the Text for the message.
$text = “$ShareName ($FolderPath): ”
#Package the SecurityDescriptor via the New-SecurityDescriptor Function.
$SecDesc = New-SecurityDescriptor $ACEs
#Check to see if the share already exists – This is to modify Permissions
$CheckShare = (Get-WmiObject Win32_Share -comp $Computername -Filter “Name='$ShareName'”)
if ($CheckShare -ne $null) {
# “Share exists and will now be modified!!!”
$result = $CheckShare | foreach-object { $_.SetShareInfo(0, $Description, $SecDesc) }

In order to modify the share permissions you will need to use the SetShareInfo method rather than Create
Also if you only create an ACE with just the permissions for Everyone it will overwrite the existing permissions and only the permissions in your update will be present on the share. That might be ok if that is the only share permission(s) you want but if you need to preserve existing permissions you would need to use the GetAccessMask method to collect the existing permissions and update the entry for Everyone. See https://msdn.microsoft.com/en-us/library/aa394435(v=vs.85).aspx
If you are learning this is a great rabbit hole to discover lots about security. However if you are pressed for time you could use rmtshare.exe from the nt resource kit. (https://support.microsoft.com/en-us/kb/172599) It works on 2003 and you can get basic syntax from Rmtshare - File and Printer shares - Windows CMD - SS64.com
That being said the best option would be to upgrade to a newer os that is more secure and with server 2012 you get powershell commands to manage share permissions. http://blogs.technet.com/b/omers/archive/2013/09/14/assigning-file-share-permissions-using-power-shell.aspx

I haven’t seen that script yet. There are other permissions on that share also so I may have to see if that would take away anything else I don’t intend to.

I was talking to one of our domain admins last night also, he said it should be possible to do this with a Group Policy change and then move the sites as they are migrated into a different OU with this change active.

Jonathan, the goal is to remove the 2003 OS by the end of the 1st quarter of 2016.

Thanks for the assistance guys! I have some things to try.

Steve