Author Posts

March 19, 2017 at 7:41 pm

Hi Guys,

I need to meet some business requirement where I need to find all the shared folder with in the comuters and remove "everyone" from all the shares.

So far I can achive to gether all shared folder list and its permission. But I'm stuck to remove "Everyone" from all shared folder. Can anyone help me to edit my script properly to remove everyone

Here is what I made as of now.

$computer = (Get-Content c:\srv.txt)
$shares = Get-WmiObject -Class win32_share -ComputerName $computer | select -ExpandProperty Name
foreach ($share in $shares) {
$acl = $null
Write-Host $share -ForegroundColor Magenta
Write-Host $('-' * $share.Length) -ForegroundColor Yellow
$objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$Share'" -ComputerName $computer
try {
$SD = $objShareSec.GetSecurityDescriptor().Descriptor
foreach($ace in $SD.DACL){
$UserName = $ace.Trustee.Name
If ($ace.Trustee.Domain -ne $Null) {$UserName = "$($ace.Trustee.Domain)\$UserName"}
If ($ace.Trustee.Name -eq $Null) {$UserName = $ace.Trustee.SIDString }
[Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ace.AccessMask, $ace.AceType)
}
}
catch
{ Write-Host "Unable to obtain permissions for $share" }
$ACL
Write-Host $('=' * 50)
}

March 23, 2017 at 10:26 pm

Why Revoke-SmbShareAccess does not support Variable inputs? I need to add multiple share folder to remove one user/group, how could I do that

I tried to combined two command line to work for this Get-SmbShare and Revoke-SmBShareAccess.
But as Revoke-SmbShareAccess is not excepting Variable inputs I'm stuck.
Revoke-SmbShareAccess works fine if I put the Name String. It also accept multiple string on the fly, but does not accept variable inputs 

Please help....

March 24, 2017 at 3:14 pm

Hi Pulakesh,

I suggest this.

# Get list of servers from file
$servers = Get-Content -Path C:\ServerLists\Servers.txt

# Loop through the list of servers
foreach ($server in $servers)
{
    # Connect to the Win32_Share class to get shares on the server
    $shares = Get-WmiObject -Namespace root\cimv2 -Class Win32_Share -ComputerName $server

    # Get ACE for all shares and return those that has Everyone as account name and is not a hidden share
    $shareAccess = $shares | Get-SmbShareAccess | Where-Object -FilterScript {($PSItem.AccountName -like 'Everyone') -and ($PSItem.Name -notlike '*$')}
    
    # Revoke Everyone from the ACE for all shares where it is listed
    $shareRevoke = $shareaccess | Revoke-SmbShareAccess -AccountName 'Everyone' -Force
    
    # Write ACE for all shares that is touched
    Write-Output $shareRevoke
}

Get-WmiObject returns an object that can be piped into Get-SmbShareAccess,
it is filtered with Where-Object to get only shares with an Everyone ACE,
and piped into Revoke-SmbShareAccess to remove Everyone from the Access Control List.
The power of objects and the pipeline.

$sharerevoke holds all ACE that is left after after Everyone is removed.
Name ScopeName AccountName AccessControlType AccessRight
—- ——— ———– —————– ———–
Share * Access Allow Read

If only Everyone had an ACE then $sharerevoke holds an ACE where Everyone has Deny as AccessControlType.
Name ScopeName AccountName AccessControlType AccessRight
—- ——— ———– —————– ———–
Share * Everyone Deny Full

I have only tested on Windows 10.

March 25, 2017 at 1:07 am

Instead of using WMI, you can accomplish this with Get-SMBShare, Get-SMBShareAccess, and Revoke-SMBShareAccess as seen below:

$Shares = Get-SmbShare | where ShareType -eq 'FileSystemDirectory'
foreach ($share in $Shares) {
   $ShareAccess = Get-SmbShareAccess -Name $share.Name
   If ($shareAccess.AccountName -like 'Everyone') { 
        
    Write-Host $share $ShareAccess.AccountName $shareAccess.AccessRight -ForegroundColor Magenta
    Revoke-SmbShareAccess -Name $Share.name -AccountName 'Everyone' -Verbose
    }
}

Good Luck!

March 26, 2017 at 1:22 pm

Hi Michael,

Thanks for your efforts. But I already used that same methods and create my first full version of script just before your post.

Same I uploaded here. Please suggest if any modification required on it. I tried to post same script here, but I don't know why after submitting the post it did not show up.

Anyways here the link, please guide me if any changes required on it.

https://gallery.technet.microsoft.com/scriptcenter/Shared-Folder-Permission-babff190?redir=0

March 26, 2017 at 1:33 pm

Hi Peter,

Thanks for your nice and powerful script. The best thing in your script is that it works for multiple computers at once. I've not try it for multiple computers yet but I'm sure it will work.

By the time I saw your post; I made my first full version of PowerShell Script independently. Being a beginner I was excited about my script and I uploaded same on MS TechNet Script Gallery. Please have a look and suggest if any modification required on it.

Thanks once again..

March 29, 2017 at 6:26 am

I think the get-smbshare cmdlet only works with win8 or higher.