locked
Modify Share Permissions for everyone group RRS feed

  • Question

  • Hello,

    I'm stucked for a while when trying to write a script, which will modify any existing permission on all shares to "Everyone","Read"

    Since there is usually only Everyone group (in most cases with FullAccess), I didn't bother with looping through every DACL entry (foreach Share => foreach DACL ..).

    This will get me current share settings...

    $mycol = @()
    $shares = gwmi win32_share -Filter "type=0" |?{$_.path -match "D:\\TEST"} |select -expand name
    foreach ($share in $shares) {
       $objShare = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$Share'"
        
            $SD = $objShare.GetSecurityDescriptor().Descriptor
            $UserName = $SD.DACL.Trustee.Name
            $accessmask = $SD.DACL.AccessMask
            $Acetype = $SD.DACL.AceType
            $ACL =New-Object Security.AccessControl.FileSystemAccessRule($UserName, $AccessMask, $AceType)
            $MyObject = new-object PSObject -property @{
             Sharename = $share
             Username = $UserName
             FileSystemRights = $ACL.FileSystemRights  
             AccessMask = $accessmask
               }
             $mycol += $MyObject
        } 
    $mycol|select sharename,username,filesystemrights,AccessMask

     In my understanding, all I need to do, is change AccessMask in DACL entry to 1179817 (from 2032127), and save it via SetSecurityDescriptor method.   (for example, $objShare.SetSecurityDescriptor($newDacl)).  But I'm stucked how to change this value. 

    Can it be changed?  Or do I have to remove Everyone group and readd it?   

    Simple way is to use net share command  (delete share, recreate share) (('net share "Share1=$Path" "/grant:Everyone,READ"')) ..  but I want to try understand this WMI method in case I need it in the future in other case.

    Cannot use SMBSHARE cmdlets because there are some machines running PS v2.0 where I need to modify share access.

    Regards ...

    Thursday, September 20, 2018 11:53 AM

Answers

All replies

  • With PowerShell we would use this:

    help Set-SmbShare -full

    It will do all you ask.

    To use WMI you have to create an SD using the WMI security descriptor class.  Search and you will find examples of this.  The full SD must be created and assigned.


    \_(ツ)_/


    • Edited by jrv Thursday, September 20, 2018 12:07 PM
    Thursday, September 20, 2018 12:06 PM
    • Marked as answer by Mekac Saturday, September 22, 2018 5:15 AM
    Thursday, September 20, 2018 12:09 PM
  • Thx Jrv,

    told you I cannot use SMBShare cmdlets .. your example though should be good enough for me to make it work.

    Later .. :)

    Thursday, September 20, 2018 12:14 PM
  • Got it working (still needs some minor update, but it isnt issue)

    So, for checking permissions i use my code

    $mycol = @()
    $shares = gwmi win32_share -Filter "type=0" |?{$_.path -match "D:\\TEST"} |select -expand name
    foreach ($share in $shares) {
       $objShare = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$Share'"
        
            $SD = $objShare.GetSecurityDescriptor().Descriptor
            $UserName = $SD.DACL.Trustee.Name
            $accessmask = $SD.DACL.AccessMask
            $Acetype = $SD.DACL.AceType
            $ACL =New-Object Security.AccessControl.FileSystemAccessRule($UserName, $AccessMask, $AceType)
            $MyObject = new-object PSObject -property @{
             Sharename = $share
             Username = $UserName
             FileSystemRights = $ACL.FileSystemRights  
             AccessMask = $accessmask
               }
             $mycol += $MyObject
        } 
    $mycol|select sharename,username,filesystemrights,AccessMask

    For setting new one, I use code from JRVs example  (got a little headache to get it working, then I realized it needs to be running from elevated prompt (on localhost) to modify the share. 

    [CmdLetBinding()] 
    param( 
         [string]$name, 
         [string]$path, 
         [string]$description = "", 
         [System.Security.Principal.NTAccount]$account="Everyone", 
         [System.Security.AccessControl.FileSystemRights]$rights='Read', 
         [int]$maxallowed = $null 
    ) 
     
    
    function Create-WMITrustee([string]$NTAccount){ 
     
        $user = New-Object System.Security.Principal.NTAccount($NTAccount) 
        $strSID = $user.Translate([System.Security.Principal.SecurityIdentifier]) 
        $sid = New-Object security.principal.securityidentifier($strSID)  
        [byte[]]$ba = ,0 * $sid.BinaryLength      
        [void]$sid.GetBinaryForm($ba,0)  
         
        $Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()  
        $Trustee.SID = $ba 
        $Trustee 
         
    } 
     
    
    function create-wmiace{
         param(
              [string]$account,
              [string]$rights="Read"
         )
        $trustee = Create-WMITrustee $account
        $ace = ([WMIClass] "Win32_ace").CreateInstance() 
        $ace.AccessMask = [System.Security.AccessControl.FileSystemRights]$rights 
        Write-Host $ace.AccessMask
        $ace.AceFlags = 0 # set inheritances and propagation flags
        $ace.AceType = 0 # set SystemAudit 
        $ace.Trustee = $trustee 
        $ace
    }
    
    
    ######################
    
    $sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance() 
       [INT]$rights='1179817'
       # Creating ACE for Authenticated Users and setting it to Security Descriptor
       [System.Security.Principal.NTAccount]$account="Everyone"
       
        $ace = Create-WMIAce $account $rights
        $sd.DACL = @($ace.psobject.baseobject) 
        $sd.ControlFlags="0x4" # set SE_DACL_PRESENT flag 
    
    
    ######################
    $shares = gwmi win32_share -Filter "type=0" |?{$_.path -match "D:\\TEST"} |select -expand name
    foreach ($share in $shares) {
    $objShare = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$Share'"
    
    #Setting  Share Permissions
    $objShare.SetSecurityDescriptor($sd)
    
    }

    Saturday, September 22, 2018 5:21 AM