The cmdlet Get-ACL is very capable when it comes to NTFS permissions, but it cannot read share permissions. This function makes an effort to provide a simple way to return share security (and other information) from a share.

The function makes use of two WMI Classes, Win32_Share and Win32_LogicalShareSecuritySetting. To simplify enumeration each Access Control Entry found within the shares Discretionary Access Control List is converted to a FileSystemAccessRule before being added to the Access object, allowing the access to be displayed in a similar way to Access from Get-ACL.

Security information is only returned for shares of type 0, standard shared folders. Security for automatically generated administrative shares will not show. Access is added to the remainder of the information returned by Win32_Share. The Control Flags for the security descriptor are available, but not interesting as they are set to DiscretionaryAclPresent and SelfRelative.

The function accepts two parameters, the name of the share, and optionally the name of a computer. With no parameters, information for all shares on the computer is returned. WQL wildcards are supported (% and _) within the share name.

Get-ShareACL

function Get-ShareACL { param( [String]$Name = "%", [String]$Computer = $Env:ComputerName ) $Shares = @() Get-WMIObject Win32_Share -Computer $Computer -Filter "Name LIKE '$Name'" | ForEach-Object { $Access = @() if ($.Type -eq 0) { $SD = (Get-WMIObject Win32_LogicalShareSecuritySetting -Computer $Computer -Filter "Name='$($.Name)'").GetSecurityDescriptor().Descriptor $SD.DACL | ForEach-Object { $Trustee = $.Trustee.Name if ($.Trustee.Domain -ne $null) { $Trustee = "$($.Trustee.Domain)$Trustee" } $Access += New-Object Security.AccessControl.FileSystemAccessRule( $Trustee, $.AccessMask, $.AceType) } } $ | Select-Object Name, Path, Description, Caption, @{n='Type';e={ switch ($_.Type) { 0 { "Disk Drive" } 1 { "Print Queue" } 2 { "Device" } 2147483648 { "Disk Drive Admin" } 2147483649 { "Print Queue Admin" } 2147483650 { "Device Admin" } 2147483651 { "IPC Admin" } } }}, MaximumAllowed, AllowMaximum, Status, InstallDate, @{n='Access';e={ $Access }} } }

Example

[code lang=”plain”]
PS C:> Get-ShareACL Test

Name : Test
Path : C:Test
Description :
Caption : Test
Type : Disk Drive
MaximumAllowed :
AllowMaximum : True
Status : OK
InstallDate :
Access : {System.Security.AccessControl.FileSystemAccessRule}

PS C:> (Get-ShareACL Test).Access

FileSystemRights : ReadAndExecute
AccessControlType : Allow
IdentityReference : somedomainchrisdent
IsInherited : False
InheritanceFlags : None
PropagationFlags : None