Need to edit the Everyone permission on a share

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Steve Niedermeier Steve Niedermeier 1 year ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • #30811
    Profile photo of Steve Niedermeier
    Steve Niedermeier

    Hello all,

    I am VERY new to power shell and scripting in general. I have been given the task to edit the Everyone permission on several remote servers, we are in the process of decommissioning. The OS on these servers is Server 2003, and the power shell version is 2.0.

    I have been able to find several scripts that will create a share for me, and mark everyone as read only, below is the one I have been using:

    $Computer = "Computer"
    $Class = "Win32_Share"
    $Method = "Create"
    $name = "Temp"
    $path = "C:\temp"
    $description = "This is shared for me to test"
    $sd = ([WMIClass] "\\$Computer\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
    $ACE = ([WMIClass] "\\$Computer\root\cimv2:Win32_ACE").CreateInstance()
    $Trustee = ([WMIClass] "\\$Computer\root\cimv2:Win32_Trustee").CreateInstance()
    $Trustee.Name = "EVERYONE"
    $Trustee.Domain = $Null
    $Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
    $ace.AccessMask = 1179817
    $ace.AceFlags = 3
    $ace.AceType = 0
    $ACE.Trustee = $Trustee
    $sd.DACL += $ACE.psObject.baseobject
    $mc = [WmiClass]"\\$Computer\ROOT\CIMV2:$Class"
    $InParams = $mc.psbase.GetMethodParameters($Method)
    $InParams.Access = $sd
    $InParams.Description = $description
    $InParams.MaximumAllowed = $Null
    $InParams.Name = $name
    $InParams.Password = $Null
    $InParams.Path = $path
    $InParams.Type = [uint32]0
    $R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
    switch ($($R.ReturnValue))
    0 {Write-Host "Share:$name Path:$path Result:Success"; break}
    2 {Write-Host "Share:$name Path:$path Result:Access Denied" -foregroundcolor red -backgroundcolor yellow;break}
    8 {Write-Host "Share:$name Path:$path Result:Unknown Failure" -foregroundcolor red -backgroundcolor yellow;break}
    9 {Write-Host "Share:$name Path:$path Result:Invalid Name" -foregroundcolor red -backgroundcolor yellow;break}
    10 {Write-Host "Share:$name Path:$path Result:Invalid Level" -foregroundcolor red -backgroundcolor yellow;break}
    21 {Write-Host "Share:$name Path:$path Result:Invalid Parameter" -foregroundcolor red -backgroundcolor yellow;break}
    22 {Write-Host "Share:$name Path:$path Result:Duplicate Share" -foregroundcolor red -backgroundcolor yellow;break}
    23 {Write-Host "Share:$name Path:$path Result:Reedirected Path" -foregroundcolor red -backgroundcolor yellow;break}
    24 {Write-Host "Share:$name Path:$path Result:Unknown Device or Directory" -foregroundcolor red -backgroundcolor yellow;break}
    25 {Write-Host "Share:$name Path:$path Result:Network Name Not Found" -foregroundcolor red -backgroundcolor yellow;break}
    default {Write-Host "Share:$name Path:$path Result:*** Unknown Error ***" -foregroundcolor red -backgroundcolor yellow;break}

    If I run it on a server that already has a share on it, the script errors our saying the share is a duplicate, error 22. I just really need to edit the share, not try to create an additional one.

    Can anyone out there get me in the right direction?


    Profile photo of Don Jones
    Don Jones

    That's because you're using CreateInstance() to create a new share. Prior to doing so, you should check to see if the share already exists, and if it does, obtain a reference to the existing instance rather than trying to create a new one.

    Profile photo of Steve Niedermeier
    Steve Niedermeier

    So it looks like this would work for doing that?

    $share = Get-WMIObject -Class Win32_Share -Computer 'COMPUTERNAME' -Filter "Name='Temp'"
    if($share) {
    write-host "Share exists"
    else {
    write-host "Share not found"

    But where would I add that to make it just change the share permissions instead of creating a share?

    Sorry I need to be spoon fed this, but I am VERY new to it and do appreciate the help!

    Profile photo of Jonathan Warnken
    Jonathan Warnken

    Steve take a look at this post

    There are a couple of versions of a script to create new shares and set permissions but there is an update by Chris Smith (fair warning it is down in the comments a bit)

    #Start the Text for the message.
    $text = “$ShareName ($FolderPath): ”
    #Package the SecurityDescriptor via the New-SecurityDescriptor Function.
    $SecDesc = New-SecurityDescriptor $ACEs
    #Check to see if the share already exists – This is to modify Permissions
    $CheckShare = (Get-WmiObject Win32_Share -comp $Computername -Filter “Name='$ShareName'”)
    if ($CheckShare -ne $null) {
    # “Share exists and will now be modified!!!”
    $result = $CheckShare | foreach-object { $_.SetShareInfo(0, $Description, $SecDesc) }

    In order to modify the share permissions you will need to use the SetShareInfo method rather than Create
    Also if you only create an ACE with just the permissions for Everyone it will overwrite the existing permissions and only the permissions in your update will be present on the share. That might be ok if that is the only share permission(s) you want but if you need to preserve existing permissions you would need to use the GetAccessMask method to collect the existing permissions and update the entry for Everyone. See
    If you are learning this is a great rabbit hole to discover lots about security. However if you are pressed for time you could use rmtshare.exe from the nt resource kit. ( It works on 2003 and you can get basic syntax from
    That being said the best option would be to upgrade to a newer os that is more secure and with server 2012 you get powershell commands to manage share permissions.

    Profile photo of Steve Niedermeier
    Steve Niedermeier

    I haven't seen that script yet. There are other permissions on that share also so I may have to see if that would take away anything else I don't intend to.

    I was talking to one of our domain admins last night also, he said it should be possible to do this with a Group Policy change and then move the sites as they are migrated into a different OU with this change active.

    Jonathan, the goal is to remove the 2003 OS by the end of the 1st quarter of 2016.

    Thanks for the assistance guys! I have some things to try.


Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.