Listing share permissions for remote shares

Now that you can list shares, how about something a bit more challenging?

Let’s take a look at share permissions. I tried using subinacl.exe to get these for a remote share. But it turns out that it does not always give trustworthy results. It showed read permissions for a share with Read and Change permissions. And let’s not mention the single-string, unicode output! What a nightmare!

Then I took one step back and issued the following command:

Get-WmiObject -ComputerName REMOTESERVER -List | Where { $_ -match “share” }

Turns out there is a WMI class called Win32_LogicalShareSecuritySetting that can help out!

Using Get-Member, I found the methods and properties I needed to make this work. And after some googling for the meaning of the AccessMask numbers, I was all done.

I have attached the script. Rename it to .ps1 and dot-source it, or paste it into your profile. Then give this command a try:


Oh, objects! I love Powershell!

Get-MySharePermissions (rename to .ps1 or copy into profile)

16 thoughts on “Listing share permissions for remote shares

  1. Thanks, Hugo. I have copied this and will study it. However, I need to be able to set share permissions using powershell. I can use get-acl and set-acl for folder permissions. I am working on a script that creates a folder on a remote machine, then shares it (I can do that using WMI), but I need to set permissions.

  2. This is very helpful, thanks.

    Any chance you would do a post on how to use the SetSecurityDescriptor() method?

    Might you have any ideas why some (but not all) perfectly functioning, normal shares would not return anything with your script?

    • Hey Erich,
      Thanks for commenting! I don’t have too much time for creating new posts, unfortunately. If you don’t get any warning or errors, I have no clue why some of your shares are not returning results.

  3. Here is a script that can check permissions on remote shares. Unfortunately you have to enter shares manualy.

    # NAME: ACL on Shared folder
    # AUTHOR: Mladen
    # DATE : 01/12/2010
    # COMMENT: Check permissions on NTFS shared folder and send report to excel
    # REQUIREMENTS: QuestAD for PowerShell (Quest ActiveRoles), Excel, Acces to share
    # shares.txt is file with shares in format \\server\share1

    #$erroractionpreference = “SilentlyContinue”
    $a = New-Object -comobject Excel.Application
    $a.visible = $True
    $b = $a.Workbooks.Add()
    $c = $b.Worksheets.Item(1)
    $c.Cells.Item(1,1) = “Share”
    $c.Cells.Item(1,2) = “Account”
    $c.Cells.Item(1,3) = “Permission”
    $c.Cells.Item(1,4) = “User Name”
    $d = $c.UsedRange
    $d.Interior.ColorIndex = 19
    $d.Font.ColorIndex = 11
    $d.Font.Bold = $True

    $intRow = 2

    $colShares = get-content shares.txt
    foreach ($strShare in $colShares)
    $c.Cells.Item($intRow, 1) = $strShare
    $c.Cells.Item($intRow, 1).Font.Bold = $True
    $acl = Get-Acl $strShare
    $perm = $acl.Access
    foreach ($object in $perm)
    $intRow = $intRow + 1
    $userName = [string]$object.IdentityReference
    $c.Cells.Item($intRow, 2) = $userName
    $c.Cells.Item($intRow, 3) = [string]$object.FileSystemRights
    $fullName = Get-QADUser $userName
    $c.Cells.Item($intRow, 4) = $fullName.Name
    $intRow = $intRow + 1


Leave a Reply