Shared Folder Permission

Tagged: 

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of Frank Tucker Frank Tucker 4 months ago.

  • Author
    Posts
  • #66750
    Profile photo of Pulakesh
    Pulakesh
    Participant

    Hi Guys,

    I need to meet some business requirement where I need to find all the shared folder with in the comuters and remove "everyone" from all the shares.

    So far I can achive to gether all shared folder list and its permission. But I'm stuck to remove "Everyone" from all shared folder. Can anyone help me to edit my script properly to remove everyone

    Here is what I made as of now.

    $computer = (Get-Content c:\srv.txt)
    $shares = Get-WmiObject -Class win32_share -ComputerName $computer | select -ExpandProperty Name
    foreach ($share in $shares) {
    $acl = $null
    Write-Host $share -ForegroundColor Magenta
    Write-Host $('-' * $share.Length) -ForegroundColor Yellow
    $objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$Share'" -ComputerName $computer
    try {
    $SD = $objShareSec.GetSecurityDescriptor().Descriptor
    foreach($ace in $SD.DACL){
    $UserName = $ace.Trustee.Name
    If ($ace.Trustee.Domain -ne $Null) {$UserName = "$($ace.Trustee.Domain)\$UserName"}
    If ($ace.Trustee.Name -eq $Null) {$UserName = $ace.Trustee.SIDString }
    [Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ace.AccessMask, $ace.AceType)
    }
    }
    catch
    { Write-Host "Unable to obtain permissions for $share" }
    $ACL
    Write-Host $('=' * 50)
    }

  • #67125
    Profile photo of Pulakesh
    Pulakesh
    Participant

    Why Revoke-SmbShareAccess does not support Variable inputs? I need to add multiple share folder to remove one user/group, how could I do that

    I tried to combined two command line to work for this Get-SmbShare and Revoke-SmBShareAccess.
    But as Revoke-SmbShareAccess is not excepting Variable inputs I'm stuck.
    Revoke-SmbShareAccess works fine if I put the Name String. It also accept multiple string on the fly, but does not accept variable inputs 

    Please help....

  • #67188
    Profile photo of Peter Kjaer
    Peter Kjaer
    Participant

    Hi Pulakesh,

    I suggest this.

    # Get list of servers from file
    $servers = Get-Content -Path C:\ServerLists\Servers.txt
    
    # Loop through the list of servers
    foreach ($server in $servers)
    {
        # Connect to the Win32_Share class to get shares on the server
        $shares = Get-WmiObject -Namespace root\cimv2 -Class Win32_Share -ComputerName $server
    
        # Get ACE for all shares and return those that has Everyone as account name and is not a hidden share
        $shareAccess = $shares | Get-SmbShareAccess | Where-Object -FilterScript {($PSItem.AccountName -like 'Everyone') -and ($PSItem.Name -notlike '*$')}
        
        # Revoke Everyone from the ACE for all shares where it is listed
        $shareRevoke = $shareaccess | Revoke-SmbShareAccess -AccountName 'Everyone' -Force
        
        # Write ACE for all shares that is touched
        Write-Output $shareRevoke
    }
    

    Get-WmiObject returns an object that can be piped into Get-SmbShareAccess,
    it is filtered with Where-Object to get only shares with an Everyone ACE,
    and piped into Revoke-SmbShareAccess to remove Everyone from the Access Control List.
    The power of objects and the pipeline.

    $sharerevoke holds all ACE that is left after after Everyone is removed.
    Name ScopeName AccountName AccessControlType AccessRight
    —- ——— ———– —————– ———–
    Share * Access Allow Read

    If only Everyone had an ACE then $sharerevoke holds an ACE where Everyone has Deny as AccessControlType.
    Name ScopeName AccountName AccessControlType AccessRight
    —- ——— ———– —————– ———–
    Share * Everyone Deny Full

    I have only tested on Windows 10.

    • #67288
      Profile photo of Pulakesh
      Pulakesh
      Participant

      Hi Peter,

      Thanks for your nice and powerful script. The best thing in your script is that it works for multiple computers at once. I've not try it for multiple computers yet but I'm sure it will work.

      By the time I saw your post; I made my first full version of PowerShell Script independently. Being a beginner I was excited about my script and I uploaded same on MS TechNet Script Gallery. Please have a look and suggest if any modification required on it.

      Thanks once again..

  • #67204
    Profile photo of Michael Bender
    Michael Bender
    Participant

    Instead of using WMI, you can accomplish this with Get-SMBShare, Get-SMBShareAccess, and Revoke-SMBShareAccess as seen below:

    $Shares = Get-SmbShare | where ShareType -eq 'FileSystemDirectory'
    foreach ($share in $Shares) {
       $ShareAccess = Get-SmbShareAccess -Name $share.Name
       If ($shareAccess.AccountName -like 'Everyone') { 
            
        Write-Host $share $ShareAccess.AccountName $shareAccess.AccessRight -ForegroundColor Magenta
        Revoke-SmbShareAccess -Name $Share.name -AccountName 'Everyone' -Verbose
        }
    }
    

    Good Luck!

    • #67287
      Profile photo of Pulakesh
      Pulakesh
      Participant

      Hi Michael,

      Thanks for your efforts. But I already used that same methods and create my first full version of script just before your post.

      Same I uploaded here. Please suggest if any modification required on it. I tried to post same script here, but I don't know why after submitting the post it did not show up.

      Anyways here the link, please guide me if any changes required on it.

      https://gallery.technet.microsoft.com/scriptcenter/Shared-Folder-Permission-babff190?redir=0

  • #67501
    Profile photo of Frank Tucker
    Frank Tucker
    Participant

    I think the get-smbshare cmdlet only works with win8 or higher.

You must be logged in to reply to this topic.