Manage Share Permissions

This topic contains 7 replies, has 4 voices, and was last updated by Profile photo of David Schmidtberger David Schmidtberger 6 days, 11 hours ago.

  • Author
    Posts
  • #58748
    Profile photo of CloudPD
    CloudPD
    Participant

    Hi All,

    I have about 500 OS 2003, 2008, and 2012 servers in my network.
    I need to manage "Share Permissions" of shared folders on these servers using powershell. Please note that I want to manage "Share Permissions" that are set under shared folder properties' "Sharing" tab, not NTFS permissions that are set under "Security" tab.

    I need to either remove "domainA\user1" or swap it with "domainB\user1" with same permissions that "domainA\user1" had. So far I found this link but the WMI portion of this manages NTFS permissions, not share permissions.
    http://windowsitpro.com/powershell/managing-file-shares-windows-powershell

    So, I used this script from MSFT to log all the shared folders and their share permissions, and transferred them manually to a CSV file.
    https://gallery.technet.microsoft.com/scriptcenter/List-Share-Permissions-83f8c419

    Therefore, I will simply read the CSV for Server name, share name, and permissions.
    Can someone please help me how I can:

    1. Remove a user/group from share permissions
    2. Swap user/group with second domain with same share permissions. (I am guessing this step will be two fold, remove and then add)

    All this should be compatible with OS 2003, 2008, and 2012 (I am guessing this will be done with WMI)

    Thanks in advance

  • #58829
    Profile photo of Matt Bloomfield
    Matt Bloomfield
    Participant

    There are some new (in 2016) and newish (in 2012) cmdlets for managing share permissions (Get-Command *share*) but these probably won't work on the older operating systems.

    Get-Acl and Set-Acl should work with all OS versions and should be suitable for this task:

    #Remove an access control entry:
    
    $acl = Get-Acl testShare
    
    foreach ($access in $acl.Access) {
    
        if ($access.IdentityReference -eq 'DOMAIN\user1') {
    
            $acl.RemoveAccessRule($access) | Out-Null
        }
    
        Set-Acl testShare -AclObject $acl
    
    }
    
    
    #Add a new access control entry:
    
    $acl = Get-Acl testShare
    
    $newRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule('DOMAIN\user2','Read','ContainerInherit,ObjectInherit','None','Allow')
    
    $acl.SetAccessRule($newRule)
    
    Set-Acl testShare -AclObject $acl
    
    • #58848
      Profile photo of CloudPD
      CloudPD
      Participant

      Matt, thanks for the details and code. I tried your code. Unfortunately, Get-ACL and Set-ACL are defaulting to NTFS permissions on the shared folder ("Security" tab of shared folder). I am dealing with the situation where I need to manage "Share" permissions in the "Share" tab of folder properties :-/

  • #58834
    Profile photo of Jeffery Hayes
    Jeffery Hayes
    Participant

    I used this cmdlet from the PSGallery to get a list of permission. I found it was really useful in setting permission across the board as well as you can always check permission and export it to an CSV File.

    These are rough scripts I made to set permission then send off an email with the reports of the current perms.

    https://www.powershellgallery.com/packages/NTFSSecurity/4.2.3

    $myArray = @('List of Paths'
    'Path2'
    'Path3'
    )
       
       foreach($path in $myArray){$Test = Test-Path $path
       
         if($Test -eq $true){Get-NTFSAccess -Path $path -Account 'domainA\user1' -ExcludeInherited | Select-Object -Property FullName,Account,AccessRights | Format-Table -AutoSize}
    
       }
    
         if($Test -eq $true){Add-NTFSAccess -Path $path -Account 'domainB\user1' -AccessRights FullControl -PassThru -Verbose}   
       #  
       #    Write-Host 'Sleep for 3 seconds'
       #    Start-Sleep -Seconds 3 
    
      #Reporting Part   
    
     #Get-NTFSAccess -Path $path -ExcludeInherited | Select-Object -Property Account,AccessRights   | Export-Csv -Path 'C:\Users\%username%\Desktop\ACERights.csv' -Append -NoTypeInformation
       
       #Send you an email with list
       #send-mailmessage -to Myself@Email.com -From Myself@Email.com  -Subject 'ACE permission' -BodyAsHTML $Body -SMTPServer 'YourSMTPServer' -Attachments 'C:\Users\%username%\Desktop\ACERights.csv'
    
     
    • #58851
      Profile photo of CloudPD
      CloudPD
      Participant

      Jeff, Thanks for the details. Looks like this is also dealing with NTFS permissions of the shared folder, not the "Share" permissions.

  • #58854
    Profile photo of CloudPD
    CloudPD
    Participant

    I may be missing something very basic here. May be I am not understanding the full capabilities of Get-ACL where it can also manage "Share" permissions; beyond NTFS permissions. But my current understanding is that it only deals with NTFS rights.

  • #58866
    Profile photo of Matt Bloomfield
    Matt Bloomfield
    Participant

    You're quite right. Sorry, I overlooked that the share name was being resolved to the NTFS path and it was picking up the NTFS permissions.

    I don't think this is as straightforward as I first thought. Granting access to a share permission from the command line is pretty easy, you can use net share /grant in a PowerShell script but revoking access is harder. I'm really struggling with the Win32_LogicalShareSecuritySetting class which is what I think you'll need to use.

    I suspect the simplest route might be a 3rd party tool like setacl.exe

  • #58867
    Profile photo of David Schmidtberger
    David Schmidtberger
    Participant

    while i'm not changing the permissions in my project, i do have a reporting function for shares configured on a server, hopefully it gives you a bit of a lead

    Get-WmiObject -ComputerName $computer -Class Win32_Share | Out-GridView
    

You must be logged in to reply to this topic.