PowerShell for Windows Admins

May 15 2014   1:40PM GMT

Share Permissions – getting

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

I’ve written about working with share permissions a couple of times but a post on the forum (powershell.org) got me thinking about it again. This time I’m going to use the CIM cmdlets rather than the WMI cmdlets I’ve used in the past.

My test machine has a test share called Test2April so that’s what we’ll work with. The first job is to understand the permissions assigned to the share. There are 3 possibilities for share permissions:

Read

Change

Full control

I assigned these to distinct users – Everyone, ChangeUser and Fulluser respectively.

Discovering the permissions can be performed using this function:

#requires -Version 3.0

function Get-SharePermission {

[CmdletBinding()]

param (

[Parameter(Mandatory=$true)]

[string]$sharename,

[string]$computername = $env:COMPUTERNAME

)

$shss = Get-CimInstance -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'” -ComputerName $computername

$sd = Invoke-CimMethod -InputObject $shss -MethodName GetSecurityDescriptor |

select -ExpandProperty Descriptor

foreach ($ace in $sd.DACL) {

switch ($ace.AccessMask) {

1179817 {$permission = ‘Read’}

1245631 {$permission = ‘Change’}

2032127 {$permission = ‘FullControl’}

default {$permission = ‘Special’}

}

$trustee = $ace.Trustee

$user = “$($trustee.Domain)\$($trustee.Name)”

$props = [ordered]@{

User = $user

Permissions = $permission

}

New-Object -TypeName PSObject -Property $props

} # emd foreach

} # end function

 

The function takes a mandatory parameter of the share name with an option parameter of computername that defaults to the local machine.

Use the Win32_LogicalShareSecuritySetting class to get the security information. The security descriptor is retrieved using its GetSecurityDescriptor method. The security descriptor stores the DACL for the share.

Each ACE in the DACL is interrogated to determine its access mask and the trustee associated with that permission. I’ve given the access mask for the 3 common permissions (Read, Change, Full Control) – anything else is listed as special. You can use the techniques in technique 51 form PowerShell and WMI or download my PAM module from codeplex (http://psam.codeplex.com/) and use Get-ShareAccessMask.

The domain and name of the trustee is put into the $user variable – it could just as easily be a group that comes through.

Create an ordered hash table with the results and output as an object.

The output will look something like this:

£> Get-SharePermission -sharename Test2April | ft -AutoSize

User Permissions

—- ———–

RSsurfacePro2\ChangeUser Change

\Everyone Read

RSsurfacePro2\FullUser FullControl

 

 

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: