Now that you can list shares, how about something a bit more challenging?

Let’s take a look at share permissions. I tried using subinacl.exe to get these for a remote share. But it turns out that it does not always give trustworthy results. It showed read permissions for a share with Read and Change permissions. And let’s not mention the single-string, unicode output! What a nightmare!

Then I took one step back and issued the following command:

Get-WmiObject -ComputerName REMOTESERVER -List | Where { $_ -match “share” }

Turns out there is a WMI class called Win32_LogicalShareSecuritySetting that can help out!

Using Get-Member, I found the methods and properties I needed to make this work. And after some googling for the meaning of the AccessMask numbers, I was all done.

I have attached the script. Rename it to .ps1 and dot-source it, or paste it into your profile. Then give this command a try:

Get-MySharePermissions REMOTESERVER SHARENAME

Oh, objects! I love Powershell!

Get-MySharePermissions (rename to .ps1 or copy into profile)

»crosslinked«

Tagged with:
 

16 Responses to Listing share permissions for remote shares

  1. Charlie Morris says:

    Thanks Hugo

    great cmdet – Saved me hours of work.

  2. John Thayer Jensen says:

    Thanks, Hugo. I have copied this and will study it. However, I need to be able to set share permissions using powershell. I can use get-acl and set-acl for folder permissions. I am working on a script that creates a folder on a remote machine, then shares it (I can do that using WMI), but I need to set permissions.

  3. John Thayer Jensen says:

    Thanks, Hugo. Yes, now I see that, it’s obvious. This will help.

  4. Erich says:

    This is very helpful, thanks.

    Any chance you would do a post on how to use the SetSecurityDescriptor() method?

    Might you have any ideas why some (but not all) perfectly functioning, normal shares would not return anything with your script?

    • admin says:

      Hey Erich,
      Thanks for commenting! I don’t have too much time for creating new posts, unfortunately. If you don’t get any warning or errors, I have no clue why some of your shares are not returning results.
      Hugo

  5. Dak says:

    Is there any way to make the script get all the shares and its permissions?

  6. Mladen says:

    Here is a script that can check permissions on remote shares. Unfortunately you have to enter shares manualy.

    #==========================================================================
    # NAME: ACL on Shared folder
    # AUTHOR: Mladen
    # DATE : 01/12/2010
    # COMMENT: Check permissions on NTFS shared folder and send report to excel
    # REQUIREMENTS: QuestAD for PowerShell (Quest ActiveRoles), Excel, Acces to share
    # shares.txt is file with shares in format \\server\share1
    #==========================================================================

    #$erroractionpreference = “SilentlyContinue”
    $a = New-Object -comobject Excel.Application
    $a.visible = $True
    $b = $a.Workbooks.Add()
    $c = $b.Worksheets.Item(1)
    $c.Cells.Item(1,1) = “Share”
    $c.Cells.Item(1,2) = “Account”
    $c.Cells.Item(1,3) = “Permission”
    $c.Cells.Item(1,4) = “User Name”
    $d = $c.UsedRange
    $d.Interior.ColorIndex = 19
    $d.Font.ColorIndex = 11
    $d.Font.Bold = $True

    $intRow = 2

    $colShares = get-content shares.txt
    foreach ($strShare in $colShares)
    {
    $c.Cells.Item($intRow, 1) = $strShare
    $c.Cells.Item($intRow, 1).Font.Bold = $True
    $acl = Get-Acl $strShare
    $perm = $acl.Access
    foreach ($object in $perm)
    {
    $intRow = $intRow + 1
    $userName = [string]$object.IdentityReference
    $c.Cells.Item($intRow, 2) = $userName
    $c.Cells.Item($intRow, 3) = [string]$object.FileSystemRights
    $fullName = Get-QADUser $userName
    $c.Cells.Item($intRow, 4) = $fullName.Name
    }
    $intRow = $intRow + 1
    }
    $d.EntireColumn.AutoFit()

    Regards.

  7. [...] Before writing a script I always see if anyone has done this already and in this case yes, I stumbled upon http://www.peetersonline.nl/index.php/powershell/listing-share-permissions-for-remote-shares [...]

  8. jfrmilner says:

    Hugo, great script this really helped me out (http://wp.me/pFqJZ-2Z).
    Regards,
    jfrmilner

  9. CB says:

    Awesome script….Any way to get this to recurse 3 levels?

  10. marcin says:

    great script! you’re the man ;)

  11. RPS says:

    Thanks for showing me how to read/view share permissions!

  12. Nikolay says:

    Im sorry but I miss something and cant run the script, can you tell me step by step how to do it
    Thank you in advance

Leave a Reply