Shared Folder Permission

pula25 · March 19, 2017, 2:11pm

Hi Guys,

I need to meet some business requirement where I need to find all the shared folder with in the comuters and remove “everyone” from all the shares.

So far I can achive to gether all shared folder list and its permission. But I’m stuck to remove “Everyone” from all shared folder. Can anyone help me to edit my script properly to remove everyone

Here is what I made as of now.

$computer = (Get-Content c:\srv.txt)
$shares = Get-WmiObject -Class win32_share -ComputerName $computer | select -ExpandProperty Name
foreach ($share in $shares) {
$acl = $null
Write-Host $share -ForegroundColor Magenta
Write-Host $(‘-’ * $share.Length) -ForegroundColor Yellow
$objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter “name=‘$Share’” -ComputerName $computer
try {
$SD = $objShareSec.GetSecurityDescriptor().Descriptor
foreach($ace in $SD.DACL){
$UserName = $ace.Trustee.Name
If ($ace.Trustee.Domain -ne $Null) {$UserName = “$($ace.Trustee.Domain)$UserName”}
If ($ace.Trustee.Name -eq $Null) {$UserName = $ace.Trustee.SIDString }
[Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ace.AccessMask, $ace.AceType)
}
}
catch
{ Write-Host “Unable to obtain permissions for $share” }
$ACL
Write-Host $(‘=’ * 50)
}

pula25 · March 23, 2017, 4:56pm

Why Revoke-SmbShareAccess does not support Variable inputs? I need to add multiple share folder to remove one user/group, how could I do that

I tried to combined two command line to work for this Get-SmbShare and Revoke-SmBShareAccess.
But as Revoke-SmbShareAccess is not excepting Variable inputs I’m stuck.
Revoke-SmbShareAccess works fine if I put the Name String. It also accept multiple string on the fly, but does not accept variable inputs 

Please help…

peterkjaer · March 24, 2017, 9:44am

Hi Pulakesh,

I suggest this.

# Get list of servers from file
$servers = Get-Content -Path C:\ServerLists\Servers.txt

# Loop through the list of servers
foreach ($server in $servers)
{
    # Connect to the Win32_Share class to get shares on the server
    $shares = Get-WmiObject -Namespace root\cimv2 -Class Win32_Share -ComputerName $server

    # Get ACE for all shares and return those that has Everyone as account name and is not a hidden share
    $shareAccess = $shares | Get-SmbShareAccess | Where-Object -FilterScript {($PSItem.AccountName -like 'Everyone') -and ($PSItem.Name -notlike '*$')}
    
    # Revoke Everyone from the ACE for all shares where it is listed
    $shareRevoke = $shareaccess | Revoke-SmbShareAccess -AccountName 'Everyone' -Force
    
    # Write ACE for all shares that is touched
    Write-Output $shareRevoke
}

Get-WmiObject returns an object that can be piped into Get-SmbShareAccess,
it is filtered with Where-Object to get only shares with an Everyone ACE,
and piped into Revoke-SmbShareAccess to remove Everyone from the Access Control List.
The power of objects and the pipeline.

$sharerevoke holds all ACE that is left after after Everyone is removed.
Name ScopeName AccountName AccessControlType AccessRight

Share * Access Allow Read

If only Everyone had an ACE then $sharerevoke holds an ACE where Everyone has Deny as AccessControlType.
Name ScopeName AccountName AccessControlType AccessRight

Share * Everyone Deny Full

I have only tested on Windows 10.

michaelbender · March 24, 2017, 7:37pm

Instead of using WMI, you can accomplish this with Get-SMBShare, Get-SMBShareAccess, and Revoke-SMBShareAccess as seen below:

$Shares = Get-SmbShare | where ShareType -eq 'FileSystemDirectory'
foreach ($share in $Shares) {
   $ShareAccess = Get-SmbShareAccess -Name $share.Name
   If ($shareAccess.AccountName -like 'Everyone') { 
        
    Write-Host $share $ShareAccess.AccountName $shareAccess.AccessRight -ForegroundColor Magenta
    Revoke-SmbShareAccess -Name $Share.name -AccountName 'Everyone' -Verbose
    }
}

Good Luck!

pula25 · March 26, 2017, 7:52am

Hi Michael,

Thanks for your efforts. But I already used that same methods and create my first full version of script just before your post.

Same I uploaded here. Please suggest if any modification required on it. I tried to post same script here, but I don’t know why after submitting the post it did not show up.

Anyways here the link, please guide me if any changes required on it.

https://gallery.technet.microsoft.com/scriptcenter/Shared-Folder-Permission-babff190?redir=0

pula25 · March 26, 2017, 8:03am

Hi Peter,

Thanks for your nice and powerful script. The best thing in your script is that it works for multiple computers at once. I’ve not try it for multiple computers yet but I’m sure it will work.

By the time I saw your post; I made my first full version of PowerShell Script independently. Being a beginner I was excited about my script and I uploaded same on MS TechNet Script Gallery. Please have a look and suggest if any modification required on it.

Thanks once again…

franktuckerca · March 29, 2017, 12:56am

I think the get-smbshare cmdlet only works with win8 or higher.

Topic		Replies	Views
Get-ACL advice PowerShell Help	4	150	April 21, 2017
Remove Write Permissions Without Giving Everybody Read Permissions to Everything PowerShell Help	1	176	July 28, 2016
Shared Folder ACL remotely PowerShell Help	2	140	December 25, 2019
Need help on permission on AdvanceSharing PowerShell Help	3	126	March 10, 2016
Pull special permission entries from advanced security settings for share folders PowerShell Help	6	459	April 6, 2023

Shared Folder Permission

Related Topics