Changing Shared Permissions

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of ertuu85 ertuu85 8 months, 2 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #33787
    Profile photo of ertuu85
    ertuu85
    Participant

    Hello, I'm trying to remove the 'everyone' group from any shares. I found some code and modified as follows:

    foreach($share in (Get-WmiObject win32_share |?{$_.name -notmatch "C\$|ADMIN\$|IPC\$|NETLOGON SYSVOL"} | select -expandProperty Name))
    {
    	#get settings
    	$set = get-wmiobject -Class Win32_LogicalshareSecuritySetting -filter "Name='$share'"
    
    	#filter Everyone out
    	$revised = $set.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}
    
    	#set the new ACL
    	$descriptor = $set.GetSecurityDescriptor().descriptor
    	$descriptor.dacl = $revised
    	$set.SetSecurityDescriptor($descriptor)
    }
    

    This works great if the shares have multiple DACLs, but if it only has "everyone" in the share, then $revised is null and it wont change the ACL...I figure i need something like

    foreach($share in (Get-WmiObject win32_share |?{$_.name -notmatch "C\$|ADMIN\$|IPC\$|NETLOGON SYSVOL"} | select -expandProperty Name))
    {
           #get settings
    	$set = get-wmiobject -Class Win32_LogicalshareSecuritySetting -filter "Name='$share'"
    
    	#filter Everyone out
    	$revised = $set.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}
    
         if($revised -eq $null)
         {
                #remove everyone from share permission
         }
         else
         {
                 #set the new ACL
    	     $descriptor = $set.GetSecurityDescriptor().descriptor
    	     $descriptor.dacl = $revised
    	     $set.SetSecurityDescriptor($descriptor)
         }
    }
    

    I'm just not sure how to remove 'everyone' if $revised is null...any help would be greatly appreciated

    #33832
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You can't. Doing so would result in an empty DACL, which isn't allowed. You need to add something.

    #33838
    Profile photo of ertuu85
    ertuu85
    Participant

    I'm able to remove all share permissions manually through the GUI and assign it no permissions, and run the script above and it returns the share name, with no permissions (not a 'null value' error or anything) so I figured it could be set this way through powershell.

    Perhaps not

    #33839
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Thing is, the GUI doesn't set a null DACL. It looks like it, but it's doing jiggery under the hood. If you set a zero DACL, you'd lose control over the thing entirely. The GUI prevents that from happening.

    Like creating a user in AD with a null samAccountName. The GUI prevents it even though it's legal, because it breaks stuff. The shell lets you :).

    #33840
    Profile photo of ertuu85
    ertuu85
    Participant

    Ah! Tricksy...thanks Don, really appreciate the insight!

    EDIT: Actually one more question...the above code I found on a site and modified it but I was curious about a few things...

    As a powershell professional how do you find out or investigate some of the built in objects like knowing that:

     $set.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}
    

    Is where you would look for the name of the shared user? Even navigating it with just 'where {$_.trustee} I would never be able to identity that as a user.

    I was just curious if there was some page/book/reference or knowledge you could pass on for help in these situations

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.