Shared Folder Permission

Welcome Forums General PowerShell Q&A Shared Folder Permission

This topic contains 6 replies, has 4 voices, and was last updated by

1 year, 11 months ago.

  • Author
  • #66750

    Points: 0
    Rank: Member

    Hi Guys,

    I need to meet some business requirement where I need to find all the shared folder with in the comuters and remove "everyone" from all the shares.

    So far I can achive to gether all shared folder list and its permission. But I'm stuck to remove "Everyone" from all shared folder. Can anyone help me to edit my script properly to remove everyone

    Here is what I made as of now.

    $computer = (Get-Content c:\srv.txt)
    $shares = Get-WmiObject -Class win32_share -ComputerName $computer | select -ExpandProperty Name
    foreach ($share in $shares) {
    $acl = $null
    Write-Host $share -ForegroundColor Magenta
    Write-Host $('-' * $share.Length) -ForegroundColor Yellow
    $objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$Share'" -ComputerName $computer
    try {
    $SD = $objShareSec.GetSecurityDescriptor().Descriptor
    foreach($ace in $SD.DACL){
    $UserName = $ace.Trustee.Name
    If ($ace.Trustee.Domain -ne $Null) {$UserName = "$($ace.Trustee.Domain)\$UserName"}
    If ($ace.Trustee.Name -eq $Null) {$UserName = $ace.Trustee.SIDString }
    [Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ace.AccessMask, $ace.AceType)
    { Write-Host "Unable to obtain permissions for $share" }
    Write-Host $('=' * 50)

  • #67125

    Points: 0
    Rank: Member

    Why Revoke-SmbShareAccess does not support Variable inputs? I need to add multiple share folder to remove one user/group, how could I do that

    I tried to combined two command line to work for this Get-SmbShare and Revoke-SmBShareAccess.
    But as Revoke-SmbShareAccess is not excepting Variable inputs I'm stuck.
    Revoke-SmbShareAccess works fine if I put the Name String. It also accept multiple string on the fly, but does not accept variable inputs 

    Please help....

  • #67188

    Points: 21
    Rank: Member

    Hi Pulakesh,

    I suggest this.

    # Get list of servers from file
    $servers = Get-Content -Path C:\ServerLists\Servers.txt
    # Loop through the list of servers
    foreach ($server in $servers)
        # Connect to the Win32_Share class to get shares on the server
        $shares = Get-WmiObject -Namespace root\cimv2 -Class Win32_Share -ComputerName $server
        # Get ACE for all shares and return those that has Everyone as account name and is not a hidden share
        $shareAccess = $shares | Get-SmbShareAccess | Where-Object -FilterScript {($PSItem.AccountName -like 'Everyone') -and ($PSItem.Name -notlike '*$')}
        # Revoke Everyone from the ACE for all shares where it is listed
        $shareRevoke = $shareaccess | Revoke-SmbShareAccess -AccountName 'Everyone' -Force
        # Write ACE for all shares that is touched
        Write-Output $shareRevoke

    Get-WmiObject returns an object that can be piped into Get-SmbShareAccess,
    it is filtered with Where-Object to get only shares with an Everyone ACE,
    and piped into Revoke-SmbShareAccess to remove Everyone from the Access Control List.
    The power of objects and the pipeline.

    $sharerevoke holds all ACE that is left after after Everyone is removed.
    Name ScopeName AccountName AccessControlType AccessRight
    —- ——— ———– —————– ———–
    Share * Access Allow Read

    If only Everyone had an ACE then $sharerevoke holds an ACE where Everyone has Deny as AccessControlType.
    Name ScopeName AccountName AccessControlType AccessRight
    —- ——— ———– —————– ———–
    Share * Everyone Deny Full

    I have only tested on Windows 10.

    • #67288

      Points: 0
      Rank: Member

      Hi Peter,

      Thanks for your nice and powerful script. The best thing in your script is that it works for multiple computers at once. I've not try it for multiple computers yet but I'm sure it will work.

      By the time I saw your post; I made my first full version of PowerShell Script independently. Being a beginner I was excited about my script and I uploaded same on MS TechNet Script Gallery. Please have a look and suggest if any modification required on it.

      Thanks once again..

  • #67204

    Points: 0
    Rank: Member

    Instead of using WMI, you can accomplish this with Get-SMBShare, Get-SMBShareAccess, and Revoke-SMBShareAccess as seen below:

    $Shares = Get-SmbShare | where ShareType -eq 'FileSystemDirectory'
    foreach ($share in $Shares) {
       $ShareAccess = Get-SmbShareAccess -Name $share.Name
       If ($shareAccess.AccountName -like 'Everyone') { 
        Write-Host $share $ShareAccess.AccountName $shareAccess.AccessRight -ForegroundColor Magenta
        Revoke-SmbShareAccess -Name $ -AccountName 'Everyone' -Verbose

    Good Luck!

    • #67287

      Points: 0
      Rank: Member

      Hi Michael,

      Thanks for your efforts. But I already used that same methods and create my first full version of script just before your post.

      Same I uploaded here. Please suggest if any modification required on it. I tried to post same script here, but I don't know why after submitting the post it did not show up.

      Anyways here the link, please guide me if any changes required on it.

  • #67501

    Points: 1
    Rank: Member

    I think the get-smbshare cmdlet only works with win8 or higher.

The topic ‘Shared Folder Permission’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort