Listing share permissions for remote shares

Now that you can list shares, how about something a bit more challenging?

Let’s take a look at share permissions. I tried using subinacl.exe to get these for a remote share. But it turns out that it does not always give trustworthy results. It showed read permissions for a share with Read and Change permissions. And let’s not mention the single-string, unicode output! What a nightmare!

Then I took one step back and issued the following command:

Get-WmiObject -ComputerName REMOTESERVER -List | Where { $_ -match “share” }

Turns out there is a WMI class called Win32_LogicalShareSecuritySetting that can help out!

Using Get-Member, I found the methods and properties I needed to make this work. And after some googling for the meaning of the AccessMask numbers, I was all done.

I have attached the script. Rename it to .ps1 and dot-source it, or paste it into your profile. Then give this command a try:


Oh, objects! I love Powershell!

Get-MySharePermissions (rename to .ps1 or copy into profile)

17 thoughts on “Listing share permissions for remote shares”

  1. Thanks, Hugo. I have copied this and will study it. However, I need to be able to set share permissions using powershell. I can use get-acl and set-acl for folder permissions. I am working on a script that creates a folder on a remote machine, then shares it (I can do that using WMI), but I need to set permissions.

  2. This is very helpful, thanks.

    Any chance you would do a post on how to use the SetSecurityDescriptor() method?

    Might you have any ideas why some (but not all) perfectly functioning, normal shares would not return anything with your script?

    1. Hey Erich,
      Thanks for commenting! I don’t have too much time for creating new posts, unfortunately. If you don’t get any warning or errors, I have no clue why some of your shares are not returning results.

  3. Here is a script that can check permissions on remote shares. Unfortunately you have to enter shares manualy.

    # NAME: ACL on Shared folder
    # AUTHOR: Mladen
    # DATE : 01/12/2010
    # COMMENT: Check permissions on NTFS shared folder and send report to excel
    # REQUIREMENTS: QuestAD for PowerShell (Quest ActiveRoles), Excel, Acces to share
    # shares.txt is file with shares in format \\server\share1

    #$erroractionpreference = “SilentlyContinue”
    $a = New-Object -comobject Excel.Application
    $a.visible = $True
    $b = $a.Workbooks.Add()
    $c = $b.Worksheets.Item(1)
    $c.Cells.Item(1,1) = “Share”
    $c.Cells.Item(1,2) = “Account”
    $c.Cells.Item(1,3) = “Permission”
    $c.Cells.Item(1,4) = “User Name”
    $d = $c.UsedRange
    $d.Interior.ColorIndex = 19
    $d.Font.ColorIndex = 11
    $d.Font.Bold = $True

    $intRow = 2

    $colShares = get-content shares.txt
    foreach ($strShare in $colShares)
    $c.Cells.Item($intRow, 1) = $strShare
    $c.Cells.Item($intRow, 1).Font.Bold = $True
    $acl = Get-Acl $strShare
    $perm = $acl.Access
    foreach ($object in $perm)
    $intRow = $intRow + 1
    $userName = [string]$object.IdentityReference
    $c.Cells.Item($intRow, 2) = $userName
    $c.Cells.Item($intRow, 3) = [string]$object.FileSystemRights
    $fullName = Get-QADUser $userName
    $c.Cells.Item($intRow, 4) = $fullName.Name
    $intRow = $intRow + 1


  4. Hi, I ‘m using both your scripts get-myshare AND permissions to take all NAS Shares with permissions but I couldn’t make them work together.

    So I’m firstly taking the list of shares with Get-MyShare
    Get-MyShares bos2-nassvr | select __SERVER, Caption

    and than I’m proccessing in excel than I’m taking permission lists one by one to csv file.

    But I was wandering is there any way to add Server Name and Share name to permission list.

    OR it would be perfect to make such script wich takes all share names and log their permissions in csv file. Most of people needs such script because of security reasonsI tried to combine your scripts but I couldn’t 🙁

Leave a Reply