The cmdlet Get-ACL is very capable when it comes to NTFS permissions, but it cannot read share permissions. This function makes an effort to provide a simple way to return share security (and other information) from a share.

The function makes use of two WMI Classes, Win32_Share and Win32_LogicalShareSecuritySetting. To simplify enumeration each Access Control Entry found within the shares Discretionary Access Control List is converted to a FileSystemAccessRule before being added to the Access object, allowing the access to be displayed in a similar way to Access from Get-ACL.

Security information is only returned for shares of type 0, standard shared folders. Security for automatically generated administrative shares will not show. Access is added to the remainder of the information returned by Win32_Share. The Control Flags for the security descriptor are available, but not interesting as they are set to DiscretionaryAclPresent and SelfRelative.

The function accepts two parameters, the name of the share, and optionally the name of a computer. With no parameters, information for all shares on the computer is returned. WQL wildcards are supported (% and _) within the share name.

Get-ShareACL

Example

[code lang=”plain”]
PS C:> Get-ShareACL Test

Name : Test
Path : C:Test
Description :
Caption : Test
Type : Disk Drive
MaximumAllowed :
AllowMaximum : True
Status : OK
InstallDate :
Access : {System.Security.AccessControl.FileSystemAccessRule}

PS C:> (Get-ShareACL Test).Access

FileSystemRights : ReadAndExecute
AccessControlType : Allow
IdentityReference : somedomainchrisdent
IsInherited : False
InheritanceFlags : None
PropagationFlags : None

6 Comments

  1. Pingback: Kleine Tipps für Zwischendurch (Teil 13) – Umgang mit UNC-Pfaden « Peter’s PowerShell Blog (German only)

  2. Justin McAlister

    Hi Chris,

    I have been trying to do something similar, and was wondering if you came up with the same results. So with share level permissions there are really only 3 levels of access granting Read, Change, and Full Control. So I put this together and it reports against those 3 without any issues:

    Please excuse the ugly formatting, and I am sure there is a far better way to do it, but my issue is with implicitly denied share permissions. The .AccessMask property value for allow full control appears to be the same as deny full control. Same with read and change. Now it’s a rare case where I come acrossed deny share permissions, but it’s possible.

    I was wondering if you has the same issue with your function. This is omnipower321 from EE by the way. You have answered a ton of my questions, and I am a fan of your site.

    Reply

    • My function cheats a little, passing the values from the ACE into the constructor for Security.AccessControl.FileSystemAccessRule. You’re spot on with the access mask value behaviour. To finish it off you need to read the AceType, that’ll tell you if it’s Allow or Deny.

      Chris

      Reply

  3. Justin McAlister

    Got it! Thank you very much.

    Reply

  4. Mladen Milunovic

    Hi, here is a script that list NTFS permissions for remote shares. Only thing is you have to enter shares manualy in to text file.
    [code lans=”ps”]
    #==========================================================================
    # NAME: ACL on Shared folder
    # AUTHOR: Mladen
    # DATE : 01/12/2010
    # COMMENT: Check permissions on NTFS shared folder and send report to excel
    # REQUIREMENTS: QuestAD for PowerShell (Quest ActiveRoles), Excel, Acces to share
    # shares.txt is file with shares in format servershare1
    #==========================================================================

    #$erroractionpreference = "SilentlyContinue"
    $a = New-Object -comobject Excel.Application
    $a.visible = $True
    $b = $a.Workbooks.Add()
    $c = $b.Worksheets.Item(1)
    $c.Cells.Item(1,1) = "Share"
    $c.Cells.Item(1,2) = "Account"
    $c.Cells.Item(1,3) = "Permission"
    $c.Cells.Item(1,4) = "User Name"
    $d = $c.UsedRange
    $d.Interior.ColorIndex = 19
    $d.Font.ColorIndex = 11
    $d.Font.Bold = $True

    $intRow = 2

    $colShares = get-content shares.txt
    foreach ($strShare in $colShares)
    {
    $c.Cells.Item($intRow, 1) = $strShare
    $c.Cells.Item($intRow, 1).Font.Bold = $True
    $acl = Get-Acl $strShare
    $perm = $acl.Access
    foreach ($object in $perm)
    {
    $intRow = $intRow + 1
    $userName = [string]$object.IdentityReference
    $c.Cells.Item($intRow, 2) = $userName
    $c.Cells.Item($intRow, 3) = [string]$object.FileSystemRights
    $fullName = Get-QADUser $userName
    $c.Cells.Item($intRow, 4) = $fullName.Name
    }
    $intRow = $intRow + 1
    }
    $d.EntireColumn.AutoFit()

    Regards,
    Mladen.

    Reply

  5. Nice piece of kit – very nice little script that was just what I was after.

    Reply

  6. Good job; very useful script; just what I was looking for

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *