1

I have written a script to remove the Everyone permission and add the Authenticated Users permissions for the Net share.

But my script is removing it and adding the Authenticated Users, but it is only performing the action for the Root folders, not for the subfolder inside the root folder and I need to get that permission as an Inherited form parent.

And I just want to know like my script is excluding the shares which for ('Remote Admin' ,"Default share' , 'Remote IPC' , 'Printer Drivers'")

It would be great if someone can please help me achieve this...

$ScriptBlock = {
     "Executing on {0}" -f $env:COMPUTERNAME
     $ExclusionList = 'ADMIN\$','IPC\$' -join '|'
     $Shares = Get-SmbShare  | Where-Object -Property Name -notmatch $ExclusionList | Where-Object -Property Path -notmatch '^\w:\\$' 
     "Analyzing these shares...."
     $Shares
     foreach ($Share in $Shares) {    
         $Everyone = Get-SmbShareAccess $Share.Name | Where-Object -Property AccountName -eq Everyone
         if ($Everyone) {  
             Revoke-SmbShareAccess $Share.Name -AccountName 'Everyone' -Force
             Grant-SmbShareAccess $Share.Name -AccountName 'Authenticated Users' -AccessRight FullControl -Force
             "Share {0} has been updated." -f $Share.Name 
         }
     }
     "Complete"
 }
    
    
  $ComputerList = Get-Content "C:\users\a-lchandrakanthredd\Desktop\Test\Servers.txt"
        
  Invoke-Command -ComputerName $ComputerList -ScriptBlock $ScriptBlock

Thanks In Advance.

Improve this question
1
  • Note that Microsoft recommends setting share level security for all shares to Everyone - Full Control, but then to lock down the filesystem permissions for that directory. Share permissions are only useful to narrow the filesystem permissions; it cannot widen them (give the user more access than they have to the underlying directory). The reason for this is that share permissions exist in the registery, but filesystem permissions exist in the filesystem itself, so a backup of a disk will still have those permissions, but share permissions rely on the OS, and can't be restored seperately.
    – Frank Thomas
    Commented Nov 16, 2021 at 16:12

1 Answer 1

Reset to default
0

It looks like you want to exclude "special" system shares, and I'll guess non-fileshare types like printers as well. Try something like this:

# Get the local smb share folder objects and permissions
$Shares = Get-SmbShare -Special $false | 
  Where {$_.ShareType -eq 'FileSystemDirectory' -and $_.Name -notin 'print$','prnproc$'}

As Frank mentions in their comment, be careful when dealing with SMB share permissions versus NTFS filesystem permissions.

SMB share permissions are only set on the share object itself, and not subfolders. The access rights apply to all the actions done by a user connecting to that share, and combine with file system permissions in a least-permissive model.

SMB share permissions do not show up if you check the properties of a folder or do Get-ACL. One reason for this is that a folder could be shared multiple ways. For example, you could share c:\shared\ with read-only access through \\Server\Share\, but still access it with admin permissions using \\Server\C$\shared\.

If you do want to set filesystem permissions, then you'll want to look into the Get-ACL/Set-ACL commands.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .