PowerShell for Windows Admins

May 17 2014   7:02AM GMT

Share Permissions – Removing

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

PowerShell v3

You’ve seen how to read share permissions and how to add share permissions – now its time to remove share permissions. Most of the code we need is in the Add-Sharepermission function – it just needs a bit of a tweak.

#requires -Version 3.0

function Remove-SharePermission {


param (



[string]$domain = $env:COMPUTERNAME,




[ValidateSet(“Read”, “Change”, “FullControl”)]

[string]$permission = “Read”,

[string]$computername = $env:COMPUTERNAME


switch ($permission) {

‘Read’ {$accessmask = 1179817}

‘Change’ {$accessmask = 1245631}

‘FullControl’ {$accessmask = 2032127}


$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'” -ComputerName $computername

$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor |

select -ExpandProperty Descriptor

$sclass = [wmiclass]”\\$computername\root\cimv2:Win32_SecurityDescriptor”

$newsd = $sclass.CreateInstance()

$newsd.ControlFlags = $sd.ControlFlags

foreach ($oace in $sd.DACL){

if (($oace.Trustee.Name -eq $trusteeName) -AND ($oace.Trustee.Domain -eq $domain) -AND ($oace.Accessmask -eq $accessmask)) {





$newsd.DACL += $oace



$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'”


} # end function

The function uses the same parameters as Add-Permission i.e. mandatory share name, trustee name and permission with optional computer and domain names. The switch statement converts the permission into an access mask.

Use Get-WmiObject to get the current security descriptor and use [wmiclass] to create a new one.

Copy the control flags and the ACE except for the any that correspond to the trustee name, domain and the permission you want to remove.

Use SetSecurityDescriptor to apply the new permissions

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • BenoitDrapeau
    Thanks for the post but the following line is missing the -computerName parameter:

    $share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename’”

    It should be:

    $share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -computerName $computername -Filter “Name=’$sharename’”
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: