Author Posts

January 12, 2016 at 8:30 am

Hello, I'm trying to remove the 'everyone' group from any shares. I found some code and modified as follows:

foreach($share in (Get-WmiObject win32_share |?{$_.name -notmatch "C\$|ADMIN\$|IPC\$|NETLOGON SYSVOL"} | select -expandProperty Name))
{
	#get settings
	$set = get-wmiobject -Class Win32_LogicalshareSecuritySetting -filter "Name='$share'"

	#filter Everyone out
	$revised = $set.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}

	#set the new ACL
	$descriptor = $set.GetSecurityDescriptor().descriptor
	$descriptor.dacl = $revised
	$set.SetSecurityDescriptor($descriptor)
}

This works great if the shares have multiple DACLs, but if it only has "everyone" in the share, then $revised is null and it wont change the ACL...I figure i need something like

foreach($share in (Get-WmiObject win32_share |?{$_.name -notmatch "C\$|ADMIN\$|IPC\$|NETLOGON SYSVOL"} | select -expandProperty Name))
{
       #get settings
	$set = get-wmiobject -Class Win32_LogicalshareSecuritySetting -filter "Name='$share'"

	#filter Everyone out
	$revised = $set.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}

     if($revised -eq $null)
     {
            #remove everyone from share permission
     }
     else
     {
             #set the new ACL
	     $descriptor = $set.GetSecurityDescriptor().descriptor
	     $descriptor.dacl = $revised
	     $set.SetSecurityDescriptor($descriptor)
     }
}

I'm just not sure how to remove 'everyone' if $revised is null...any help would be greatly appreciated

January 13, 2016 at 6:21 am

You can't. Doing so would result in an empty DACL, which isn't allowed. You need to add something.

January 13, 2016 at 6:51 am

I'm able to remove all share permissions manually through the GUI and assign it no permissions, and run the script above and it returns the share name, with no permissions (not a 'null value' error or anything) so I figured it could be set this way through powershell.

Perhaps not

January 13, 2016 at 6:59 am

Thing is, the GUI doesn't set a null DACL. It looks like it, but it's doing jiggery under the hood. If you set a zero DACL, you'd lose control over the thing entirely. The GUI prevents that from happening.

Like creating a user in AD with a null samAccountName. The GUI prevents it even though it's legal, because it breaks stuff. The shell lets you :).

January 13, 2016 at 7:09 am

Ah! Tricksy...thanks Don, really appreciate the insight!

EDIT: Actually one more question...the above code I found on a site and modified it but I was curious about a few things...

As a powershell professional how do you find out or investigate some of the built in objects like knowing that:

 $set.GetSecurityDescriptor().Descriptor.Dacl | Where {$_.trustee.name -ne 'Everyone'}

Is where you would look for the name of the shared user? Even navigating it with just 'where {$_.trustee} I would never be able to identity that as a user.

I was just curious if there was some page/book/reference or knowledge you could pass on for help in these situations

March 19, 2017 at 9:44 pm

Hi ertuu,

I have exactly same requirement. I tried your script it does not work for me.
Can you guide me what things I need to modify before running your script?