PowerShell for Windows Admins

May 18 2014   5:16AM GMT

Share Permissions – changing

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

PowerShell v3

So far you’ve seen how to read, remove and add permissions to a share. The final scenario to be covered is modifying a permission.

The functions I’ve presented to date only enable you to set Allow permissions on a share. I’ll be covering Deny permissions in later posts. This mimics the way that I tend to develop functionality – get part working then add more in increments until you have what you need.

For now this is function will enable you to modify permissions on a share:

#requires -Version 3.0

function Set-SharePermission {


param (




[string]$domain = $env:COMPUTERNAME,






[ValidateSet(“Read”, “Change”, “FullControl”)]

[string]$permission = “Read”,


[string]$computername = $env:COMPUTERNAME



switch ($permission) {

‘Read’ {$accessmask = 1179817}

‘Change’ {$accessmask = 1245631}

‘FullControl’ {$accessmask = 2032127}




$tclass = [wmiclass]”\\$computername\root\cimv2:Win32_Trustee”

$trustee = $tclass.CreateInstance()

$trustee.Domain = $domain

$trustee.Name = $trusteeName


$aclass = [wmiclass]”\\$computername\root\cimv2:Win32_ACE”

$ace = $aclass.CreateInstance()

$ace.AccessMask = $accessmask

$ace.AceFlags = 0

$ace.AceType = 0

$ace.Trustee = $trustee


$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'” -ComputerName $computername

$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor |

select -ExpandProperty Descriptor


$sclass = [wmiclass]”\\$computername\root\cimv2:Win32_SecurityDescriptor”

$newsd = $sclass.CreateInstance()

$newsd.ControlFlags = $sd.ControlFlags


foreach ($oace in $sd.DACL){


if (($oace.Trustee.Name -eq $trusteeName) -AND ($oace.Trustee.Domain -eq $domain) ) {





$newsd.DACL += $oace



$newsd.DACL += $ace


$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'” -ComputerName $computername



} # end function


If you compare this to the Add-SharePermission and Remove-SharePermission you’ll see that the Set-SharePermission is really the Add-SharePermission function with the code to add the old ACE to the new DACL modified to be similar to Remove-SharePermission.

if (($oace.Trustee.Name -eq $trusteeName) -AND ($oace.Trustee.Domain -eq $domain) ) {





$newsd.DACL += $oace


The code loops through the old ACEs and as long as the name AND domain don’t match the trustee for whom you’re changing permissions they’re added to the new DACL. In other worlds the old permissions for the trustee are removed from the DACL.


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: