Categories

Share Permissions – working with Deny

Permissions can be set to either allow access ot to deny access.  The functions I’ve presented so far only work with Allow permissions. Using Deny permissions should be avoided if at all possible but sometimes there’s no alternative.

First thing is to modify Get-SharePermission so that it shows if the permission is allowed or denied.

#requires -Version 3.0
function Get-SharePermission {
[CmdletBinding()]
param (
  [Parameter(Mandatory=$true)]
  [string]$sharename,

  [string]$computername = $env:COMPUTERNAME
)

$shss = Get-CimInstance -Class Win32_LogicalShareSecuritySetting -Filter "Name='$sharename'" -ComputerName $computername
$sd = Invoke-CimMethod -InputObject $shss -MethodName GetSecurityDescriptor |
select -ExpandProperty Descriptor

foreach ($ace in $sd.DACL) {

switch ($ace.AccessMask) {
   1179817 {$permission = 'Read'}
   1245631 {$permission = 'Change'}
   2032127 {$permission = 'FullControl'}
   default {$permission = 'Special'}
}
 
$trustee = $ace.Trustee
$user = "$($trustee.Domain)\$($trustee.Name)"

switch ($ace.AceType) {
   0 {$status = 'Allow'}
   1 {$status = 'Deny'}
   2 {$status = 'Audit'}
}

$props = [ordered]@{
   User = $user
   Permissions = $permission
   Status = $status
}
New-Object -TypeName PSObject -Property $props
} # emd foreach
} # end function

The modification is to add a switch based on the AceType property of the Win32_ACE object (http://msdn.microsoft.com/en-us/library/aa394063(v=vs.85).aspx) to determine the status of the permission. Add a property called Status to the output object and set it equal to the status determined in the switch.

Leave a Reply