I am VERY new to power shell and scripting in general. I have been given the task to edit the Everyone permission on several remote servers, we are in the process of decommissioning. The OS on these servers is Server 2003, and the power shell version is 2.0.
I have been able to find several scripts that will create a share for me, and mark everyone as read only, below is the one I have been using:
If I run it on a server that already has a share on it, the script errors our saying the share is a duplicate, error 22. I just really need to edit the share, not try to create an additional one.
Can anyone out there get me in the right direction?
That’s because you’re using CreateInstance() to create a new share. Prior to doing so, you should check to see if the share already exists, and if it does, obtain a reference to the existing instance rather than trying to create a new one.
There are a couple of versions of a script to create new shares and set permissions but there is an update by Chris Smith (fair warning it is down in the comments a bit)
#Start the Text for the message.
$text = “$ShareName ($FolderPath): ”
#Package the SecurityDescriptor via the New-SecurityDescriptor Function.
$SecDesc = New-SecurityDescriptor $ACEs
#Check to see if the share already exists – This is to modify Permissions
$CheckShare = (Get-WmiObject Win32_Share -comp $Computername -Filter “Name='$ShareName'”)
if ($CheckShare -ne $null) {
# “Share exists and will now be modified!!!”
$result = $CheckShare | foreach-object { $_.SetShareInfo(0, $Description, $SecDesc) }
In order to modify the share permissions you will need to use the SetShareInfo method rather than Create
Also if you only create an ACE with just the permissions for Everyone it will overwrite the existing permissions and only the permissions in your update will be present on the share. That might be ok if that is the only share permission(s) you want but if you need to preserve existing permissions you would need to use the GetAccessMask method to collect the existing permissions and update the entry for Everyone. See https://msdn.microsoft.com/en-us/library/aa394435(v=vs.85).aspx
If you are learning this is a great rabbit hole to discover lots about security. However if you are pressed for time you could use rmtshare.exe from the nt resource kit. (https://support.microsoft.com/en-us/kb/172599) It works on 2003 and you can get basic syntax from Rmtshare - File and Printer shares - Windows CMD - SS64.com
That being said the best option would be to upgrade to a newer os that is more secure and with server 2012 you get powershell commands to manage share permissions. http://blogs.technet.com/b/omers/archive/2013/09/14/assigning-file-share-permissions-using-power-shell.aspx
I haven’t seen that script yet. There are other permissions on that share also so I may have to see if that would take away anything else I don’t intend to.
I was talking to one of our domain admins last night also, he said it should be possible to do this with a Group Policy change and then move the sites as they are migrated into a different OU with this change active.
Jonathan, the goal is to remove the 2003 OS by the end of the 1st quarter of 2016.
Thanks for the assistance guys! I have some things to try.