none
Set file sharing permission level powershell

    Question

  • Hi.

    Please advice how to share the folder with permission level read/write to domain\user. NOT NTFS permissions!!!

    I used function below, but it put ntfs permissions. It is possible to set share permissions using PS?

    function: 

    function shareFolder 
    {
    	Param ($folder, $uname)
    	$name = $folder.Name
    	$path = $folder.Fullname
    	
    	$sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
    	
    	$ace = ([WMIClass] "Win32_ACE").CreateInstance()
        $Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
        $Trustee.Name = $uname
        $Trustee.Domain = $null
        $ace.AccessMask = 2032127
        $ace.AceFlags = 3 
        $ace.AceType = 0 
        $ACE.Trustee = $Trustee 
        $sd.DACL += $ace.psObject.baseobject 
    
    	$mc = [WmiClass]"Win32_Share"
        $InParams = $mc.psbase.GetMethodParameters("create")
        $InParams.Access = $sd
        $InParams.Description = "Share"
        $InParams.MaximumAllowed = $Null
        $InParams.Name = "test"
        $InParams.Password = $Null
        $InParams.Path = $folder 
        $InParams.Type = [uint32]0
    	
    	$mc.PSBase.InvokeMethod("Create", $InParams, $Null)
    }
    
    shareFolder "C:\testshare" "d.local\testuser"

     I repeat it put ntfs permissions, not share.
    • Edited by yarostnyi Friday, July 26, 2013 12:47 PM
    Friday, July 26, 2013 12:46 PM

Answers

  • As an aside, since share permissions apply to all files and folders in a share, while ntfs permissions can differ within a share and since the most restrictive between the two applies, a common practice that is simpler to manage is to create all shares with full access to everyone and use ntfs permissions to manage the actual access granted.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    • Marked as answer by yarostnyi Thursday, August 01, 2013 11:16 AM
    Friday, July 26, 2013 5:03 PM
  • I agree with Al. Share permissions should be Everyone:F and the resources should be secured at the file system level.

    Bill

    When we create a share with the GUI the permissions are set to Everyone read only.  When we create them with the share utilities (all I believe) the setting is the older Everyone:F.  This, as Bill and Al have pointed out, is the better behavior and is by design.  The GUI protects unsuspecting users but the utilities are assumed to be used by trained Admins.

    There is seldom a need to create permissions on shares. Using NTFS is more secure and easier to manage.

    The net share/grant only works in Vista and later so be aware.


    ¯\_(ツ)_/¯

    • Marked as answer by yarostnyi Thursday, August 01, 2013 11:17 AM
    Friday, July 26, 2013 5:54 PM

All replies

  • Here is a script that sets share permissions:
    http://gallery.technet.microsoft.com/Create-a-Share-and-Set-eb177a79


    ¯\_(ツ)_/¯

    Friday, July 26, 2013 2:41 PM
  • I find net share way easier to use.

    @echo off
    
    Set ShareName=MyOwnShare
    Set SharePath=C:\TestShare
    
    for /F "tokens=1" %%G IN ('net share ^| find "%ShareName%"') DO net share %%G /delete
    
    net share %ShareName%=%SharePath% /grant:"NT AUTHORITY\Authenticated Users",CHANGE /unlimited /remark:"My Private Share" /cache:none
    



    Friday, July 26, 2013 4:51 PM
  • As an aside, since share permissions apply to all files and folders in a share, while ntfs permissions can differ within a share and since the most restrictive between the two applies, a common practice that is simpler to manage is to create all shares with full access to everyone and use ntfs permissions to manage the actual access granted.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    • Marked as answer by yarostnyi Thursday, August 01, 2013 11:16 AM
    Friday, July 26, 2013 5:03 PM
  • I agree with Al. Share permissions should be Everyone:F and the resources should be secured at the file system level.

    Bill

    Friday, July 26, 2013 5:27 PM
  • I agree with Al. Share permissions should be Everyone:F and the resources should be secured at the file system level.

    Bill

    When we create a share with the GUI the permissions are set to Everyone read only.  When we create them with the share utilities (all I believe) the setting is the older Everyone:F.  This, as Bill and Al have pointed out, is the better behavior and is by design.  The GUI protects unsuspecting users but the utilities are assumed to be used by trained Admins.

    There is seldom a need to create permissions on shares. Using NTFS is more secure and easier to manage.

    The net share/grant only works in Vista and later so be aware.


    ¯\_(ツ)_/¯

    • Marked as answer by yarostnyi Thursday, August 01, 2013 11:17 AM
    Friday, July 26, 2013 5:54 PM
  • I agree with Al. Share permissions should be Everyone:F and the resources should be secured at the file system level.

    Bill

    When we create a share with the GUI the permissions are set to Everyone read only.  When we create them with the share utilities (all I believe) the setting is the older Everyone:F.  This, as Bill and Al have pointed out, is the better behavior and is by design.  The GUI protects unsuspecting users but the utilities are assumed to be used by trained Admins.

    There is seldom a need to create permissions on shares. Using NTFS is more secure and easier to manage.

    The net share/grant only works in Vista and later so be aware.


    ¯\_(ツ)_/¯

    While it is generally true that share permissions should be left in its default state, there is at least one scenario in which share permissions should be changed for security reason.

    By nature NTFS allows owners to modify permissions.  Because object creators are made owners by default, they are free to mess with permissions beyond recognition.

    The only way to prevent this is to lock it down with share permissions since there is nothing you can do in NTFS to block users from doing it.  An "Everyone, Change" permission will easily solve the problem.
    Friday, July 26, 2013 7:07 PM


  • By nature NTFS allows owners to modify permissions.  Because object creators are made owners by default, they are free to mess with permissions beyond recognition.

    The only way to prevent this is to lock it down with share permissions since there is nothing you can do in NTFS to block users from doing it.  An "Everyone, Change" permission will easily solve the problem.

    I control this in two ways.  Regular users are not allowed to cerate shares.  Regular users can only mange objects created in their own documents folders.  In Vista and later only admins can create folders at the root of any drive unless we alter the default permissions.  These changes from MS are what I have been doing with policy for years.

    Users can only damage the files/folders they own and an Admin can fix this. We also have ways to force admin control over user folders so this is not usually a problem.

    However, As Joe has provoked, we should be careful to address that issue when setting up a files system or shares.  I am particularly opposed to creating a separate share for teach user.  It is an old NT4 habit that does not seem to want to die.


    ¯\_(ツ)_/¯

    Friday, July 26, 2013 7:30 PM
  • Good point, Joe. Depending on your needs, Everyone:RWXD might be more appropriate.

    Bill

    Friday, July 26, 2013 7:33 PM
  • an excellent comment, I had not thought of that. And, goodness knows, you don't want regular users setting NTFS permissions. I have even met admins that did not have what I thought was a sufficient cautious grasp on how it all works.

    Of course, this would keep administrators from making permission changes. But at least they could do so through the parent admin share...

    Of course, the best practice is to set permissions only on folders and only when they are created. Access changes are then applied by managing security groups.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Friday, July 26, 2013 7:35 PM
  • an excellent comment, I had not thought of that. And, goodness knows, you don't want regular users setting NTFS permissions. I have even met admins that did not have what I thought was a sufficient cautious grasp on how it all works.

    Of course, this would keep administrators from making permission changes. But at least they could do so through the parent admin share...

    Of course, the best practice is to set permissions only on folders and only when they are created. Access changes are then applied by managing security groups.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Tell me about it.  I actually allow all shares made with the GUI to remain read-only.  These shares are for software and document distribution (templates).  I am forever trying to save a new document through the share only to be told that I can't. I have to backup and use the Admin share.

    Yes - I wonder if we can alter the default to create shares with only 'Modify' permissions.


    ¯\_(ツ)_/¯

    Friday, July 26, 2013 7:39 PM
  • $Path = "C:\TEST"
    $Share = "TEST"
    New-Item -ItemType directory -Path $Path
    net share "$Share=$Path" "/grant:Administrators,FULL" /unlimited /cache:none
    This does it for me.
    Wednesday, December 11, 2013 1:00 PM
  • $Path = "C:\TEST"
    $Share = "TEST"
    New-Item -ItemType directory -Path $Path
    net share "$Share=$Path" "/grant:Administrators,FULL" /unlimited /cache:none
    This does it for me.

    That answer was already given a few months ago.  Look at the rest of the answers to see the full issue.

    ¯\_(ツ)_/¯

    Wednesday, December 11, 2013 1:11 PM