
close
close
Sometimes in IT, the hardest part of a task is figuring out the right tool for the job. And even then, you may run into situations where you can’t use your desired tool. Here’s an example pulled from a recent PowerShell forum post. In this article, we’ll learn how to configure share permissions with WMI and PowerShell.
The problem at hand is how to remove the everyone group from share permissions, presumably across multiple servers or desktops. Life would be certainly easier if the shares were created accordingly in the first place. With that said, circumstances change and the need to modify share permissions isn’t that extraordinary. Fortunately, with PowerShell and the commands in the SMBShare module, this is very easy. I’ll use a share on my Windows 8.1 desktop running PowerShell 4.0, but it’s just as easy to use the cmdlets with remote computers.
It’s very easy to view permissions using Get-SMBShareAccess:
Listing share permissions. (Image Credit: Jeff Hicks)
Modifying share permissions (Image Credit: Jeff Hicks)
I'm testing locally, but this should all work remotely. If you look at all the object properties, you won't see anything for permissions or access.No. The class you need is actually called Win32_LogicalShareSecuritySetting. Let's get it for the test share.Listing WMI share properties (Image Credit: Jeff Hicks)
What did we get?That doesn't look much better. This is where we need to turn to Get-Member and check some methods.Share security setting properties (Image Credit: Jeff Hicks)
This looks promising. Let's try and get the security descriptor.Logical share security setting methods (Image Credit: Jeff Hicks)
Hmmm. Looks like the descriptor property is a nested object. Let's dig deeper.Getting the security descriptor (Image Credit: Jeff Hicks)
Looking at the DACL, there appear to be two entries. Still digging.Expanding the security descriptor (Image Credit: Jeff Hicks)
I'll come back to the AccessMask. The trustee appears to be yet one more object. See how far down the rabbit hole we're going?Listing DACL entries (Image Credit: Jeff Hicks)
Finally, we reach something meaningful. Now that I know the property hierarchy, I can easily list the access control entries.Expanding the trustee (Image Credit: Jeff Hicks)
Before I show you how to remove the everyone group, let's take a slight detour and look at the AccessMask. This is a bitwise value that indicates what type of access is allowed. You can decode this value by performing a series of bitwise operations. Here's a function I use to make this much easier.Listing access control entries (Image Credit: Jeff Hicks)
Function ConvertFrom-AccessMask { [cmdletbinding()] Param ( [Parameter(Position=0,Mandatory,HelpMessage="Enter an AccessMask", ValueFromPipeline,ValueFromPipelineByPropertyName)] [ValidateNotNullorEmpty()] [uint32]$AccessMask, [switch]$AsString ) Begin { Write-Verbose "Starting $($MyInvocation.Mycommand)" } #begin Process { Write-Verbose "Decoding $Accessmask" [email protected]() If ($AccessMask -bAnd 1048576) {$AccessMaskDecode+= "Synchronize"} If ($AccessMask -bAnd 524288) {$AccessMaskDecode+= "WriteOwner"} If ($AccessMask -bAnd 262144) {$AccessMaskDecode+= "WriteACL"} If ($AccessMask -bAnd 131072) {$AccessMaskDecode+= "ReadSecurity"} If ($AccessMask -bAnd 65536) {$AccessMaskDecode+= "Delete"} If ($AccessMask -bAnd 256) {$AccessMaskDecode+= "WriteAttrib"} If ($AccessMask -bAnd 128) {$AccessMaskDecode+= "ReadAttrib"} If ($AccessMask -bAnd 64) {$AccessMaskDecode+= "DeleteDir"} If ($AccessMask -bAnd 32) {$AccessMaskDecode+= "Execute"} If ($AccessMask -bAnd 16) {$AccessMaskDecode+= "WriteExtAttrib"} If ($AccessMask -bAnd 8) {$AccessMaskDecode+= "ReadExtAttrib"} If ($AccessMask -bAnd 4) {$AccessMaskDecode+= "Append"} If ($AccessMask -bAnd 2) {$AccessMaskDecode+= "Write"} If ($AccessMask -bAnd 1) {$AccessMaskDecode+= "Read"} If ($AsString) { #join the result as a comma separated string Write-Verbose "Writing result as a string" $AccessMaskDecode -join "," } else { #write the result to the pipeline Write-Verbose "Writing result as an array" $AccessMaskDecode } } #process End { Write-Verbose "Ending $($MyInvocation.Mycommand)" } #end } #close Get-AccessMask
The default behavior is to display an array of access rights, or you can display it as a string. Here’s a revised version of my previous command.
advertisment
Let's get back to the problem at hand. If you recall when we looked at methods for the security setting object, there was one for setting. The method needs a parameter value for the new security descriptor object. So let's create one by essentially getting all the current entries except for the one that matches the everyone group.Displaying a decoded access mask (Image Credit: Jeff Hicks)
I'll get the current security descriptor.Revised DACL with a single entry (Image Credit: Jeff Hicks)
Assign a new value to the DACL to reflect my revised changes.
Finally, I can apply the new security descriptor.
A ReturnValue of 0 indicates the operation was successful. Anything else and you'd have to check the MSDN documentation for the SetSecurityDescriptorSetting(). The change is immediate which I can verify with Get-SMBShareAccess.Applying a new security descriptor (Image Credit: Jeff Hicks)
Verifying the new share permissions (Image Credit: Jeff Hicks) If you wanted, you could probably distill everything down to a scriptblock like this:
Note that when you invoke methods like this, you don't have the ability to take advantage of parameters like WhatIf and Confirm. You could rewrite my examples using Invoke-WMIMethod, but know that it will take several steps. Don't try to cram all of this into a single pipelined expression. It should go without saying that you will need to build your own tool for the task at hand and test thoroughly in a non-production environment.
More from Jeff Hicks
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows Server
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11
Apr 20, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016
Apr 14, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group