Categories

Share Permissions – setting deny

The last change to the share permissions functions to modify the Set-SharePermissions functions to enable the application of Deny permissions.

The function becomes:

#requires -Version 3.0
function Set-SharePermission {
[CmdletBinding()]
param (
  [Parameter(Mandatory=$true)]
  [string]$sharename,

  [string]$domain = $env:COMPUTERNAME,

  [Parameter(Mandatory=$true)]
  [string]$trusteeName,

  [Parameter(Mandatory=$true)]
  [ValidateSet("Read", "Change", "FullControl")]
  [string]$permission = "Read",

  [string]$computername = $env:COMPUTERNAME,

  [parameter(ParameterSetName="AllowPerm")]
  [switch]$allow,

  [parameter(ParameterSetName="DenyPerm")]
  [switch]$deny
)

switch ($permission) {
   'Read'        {$accessmask = 1179817}
   'Change'      {$accessmask = 1245631}
   'FullControl' {$accessmask = 2032127}
}


$tclass = [wmiclass]"\\$computername\root\cimv2:Win32_Trustee"
$trustee = $tclass.CreateInstance()
$trustee.Domain = $domain
$trustee.Name = $trusteeName

$aclass = [wmiclass]"\\$computername\root\cimv2:Win32_ACE"
$ace = $aclass.CreateInstance()
$ace.AccessMask = $accessmask

switch ($psCmdlet.ParameterSetName) {
"AllowPerm"  {$ace.AceType = 0}
"DenyPerm"  {$ace.AceType = 1}
default {Write-Host "Error!!! Should not be here" }
}

$ace.Trustee = $trustee

$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$sharename'" -ComputerName $computername
$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor |
select -ExpandProperty Descriptor

$sclass = [wmiclass]"\\$computername\root\cimv2:Win32_SecurityDescriptor"
$newsd = $sclass.CreateInstance()
$newsd.ControlFlags = $sd.ControlFlags

foreach ($oace in $sd.DACL){

if (($oace.Trustee.Name -eq $trusteeName) -AND ($oace.Trustee.Domain -eq $domain) ) {
    continue
}
else
{
    $newsd.DACL += $oace
}
}
$newsd.DACL += $ace

$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$sharename'" -ComputerName $computername
$share.SetSecurityDescriptor($newsd)

} # end function

The changes are to add two switches –allow & –deny.  Put them in different parametersets to ensure mutual exclusivity.

As you are using parametersets you can use a switch based on the parameterset name to set the ACE type.

switch ($psCmdlet.ParameterSetName) {
"AllowPerm"  {$ace.AceType = 0}
"DenyPerm"  {$ace.AceType = 1}
default {Write-Host "Error!!! Should not be here" }
}

Everything else remains the same.

Leave a Reply