Manage Share Permissions

This topic contains 7 replies, has 4 voices, and was last updated by  David Schmidtberger 1 year, 7 months ago.

  • Author
  • #58748


    Hi All,

    I have about 500 OS 2003, 2008, and 2012 servers in my network.
    I need to manage "Share Permissions" of shared folders on these servers using powershell. Please note that I want to manage "Share Permissions" that are set under shared folder properties' "Sharing" tab, not NTFS permissions that are set under "Security" tab.

    I need to either remove "domainA\user1" or swap it with "domainB\user1" with same permissions that "domainA\user1" had. So far I found this link but the WMI portion of this manages NTFS permissions, not share permissions.

    So, I used this script from MSFT to log all the shared folders and their share permissions, and transferred them manually to a CSV file.

    Therefore, I will simply read the CSV for Server name, share name, and permissions.
    Can someone please help me how I can:

    1. Remove a user/group from share permissions
    2. Swap user/group with second domain with same share permissions. (I am guessing this step will be two fold, remove and then add)

    All this should be compatible with OS 2003, 2008, and 2012 (I am guessing this will be done with WMI)

    Thanks in advance

  • #58829

    Matt Bloomfield

    There are some new (in 2016) and newish (in 2012) cmdlets for managing share permissions (Get-Command *share*) but these probably won't work on the older operating systems.

    Get-Acl and Set-Acl should work with all OS versions and should be suitable for this task:

    #Remove an access control entry:
    $acl = Get-Acl testShare
    foreach ($access in $acl.Access) {
        if ($access.IdentityReference -eq 'DOMAIN\user1') {
            $acl.RemoveAccessRule($access) | Out-Null
        Set-Acl testShare -AclObject $acl
    #Add a new access control entry:
    $acl = Get-Acl testShare
    $newRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule('DOMAIN\user2','Read','ContainerInherit,ObjectInherit','None','Allow')
    Set-Acl testShare -AclObject $acl
    • #58848


      Matt, thanks for the details and code. I tried your code. Unfortunately, Get-ACL and Set-ACL are defaulting to NTFS permissions on the shared folder ("Security" tab of shared folder). I am dealing with the situation where I need to manage "Share" permissions in the "Share" tab of folder properties :-/

  • #58834

    Jeffery Hayes

    I used this cmdlet from the PSGallery to get a list of permission. I found it was really useful in setting permission across the board as well as you can always check permission and export it to an CSV File.

    These are rough scripts I made to set permission then send off an email with the reports of the current perms.

    $myArray = @('List of Paths'
       foreach($path in $myArray){$Test = Test-Path $path
         if($Test -eq $true){Get-NTFSAccess -Path $path -Account 'domainA\user1' -ExcludeInherited | Select-Object -Property FullName,Account,AccessRights | Format-Table -AutoSize}
         if($Test -eq $true){Add-NTFSAccess -Path $path -Account 'domainB\user1' -AccessRights FullControl -PassThru -Verbose}   
       #    Write-Host 'Sleep for 3 seconds'
       #    Start-Sleep -Seconds 3 
      #Reporting Part   
     #Get-NTFSAccess -Path $path -ExcludeInherited | Select-Object -Property Account,AccessRights   | Export-Csv -Path 'C:\Users\%username%\Desktop\ACERights.csv' -Append -NoTypeInformation
       #Send you an email with list
       #send-mailmessage -to -From  -Subject 'ACE permission' -BodyAsHTML $Body -SMTPServer 'YourSMTPServer' -Attachments 'C:\Users\%username%\Desktop\ACERights.csv'
    • #58851


      Jeff, Thanks for the details. Looks like this is also dealing with NTFS permissions of the shared folder, not the "Share" permissions.

  • #58854


    I may be missing something very basic here. May be I am not understanding the full capabilities of Get-ACL where it can also manage "Share" permissions; beyond NTFS permissions. But my current understanding is that it only deals with NTFS rights.

  • #58866

    Matt Bloomfield

    You're quite right. Sorry, I overlooked that the share name was being resolved to the NTFS path and it was picking up the NTFS permissions.

    I don't think this is as straightforward as I first thought. Granting access to a share permission from the command line is pretty easy, you can use net share /grant in a PowerShell script but revoking access is harder. I'm really struggling with the Win32_LogicalShareSecuritySetting class which is what I think you'll need to use.

    I suspect the simplest route might be a 3rd party tool like setacl.exe

  • #58867

    David Schmidtberger

    while i'm not changing the permissions in my project, i do have a reporting function for shares configured on a server, hopefully it gives you a bit of a lead

    Get-WmiObject -ComputerName $computer -Class Win32_Share | Out-GridView

You must be logged in to reply to this topic.