header image

Share Permissions – getting

Posted by: | May 15, 2014 | No Comment |

I’ve written about working with share permissions a couple of times but a post on the forum (powershell.org) got me thinking about it again.  This time I’m going to use the CIM cmdlets rather than the WMI cmdlets I’ve used in the past.

My test machine has a test share called Test2April so that’s what we’ll work with. The first job is to understand the permissions assigned to the share.  There are 3 possibilities for share permissions:

  • Read
  • Change
  • Full control

I assigned these to distinct users – Everyone, ChangeUser and Fulluser respectively.

Discovering the permissions can be performed using this function:

#requires -Version 3.0
function Get-SharePermission {
param (

  [string]$computername = $env:COMPUTERNAME

$shss = Get-CimInstance -Class Win32_LogicalShareSecuritySetting -Filter "Name=’$sharename’" -ComputerName $computername
$sd = Invoke-CimMethod -InputObject $shss -MethodName GetSecurityDescriptor |
select -ExpandProperty Descriptor

foreach ($ace in $sd.DACL) {

switch ($ace.AccessMask) {
   1179817 {$permission = ‘Read’}
   1245631 {$permission = ‘Change’}
   2032127 {$permission = ‘FullControl’}
   default {$permission = ‘Special’}
$trustee = $ace.Trustee
$user = "$($trustee.Domain)\$($trustee.Name)"

$props = [ordered]@{
   User = $user
   Permissions = $permission
New-Object -TypeName PSObject -Property $props
} # emd foreach
} # end function

The function takes a mandatory parameter of the share name with an option parameter of computername that defaults to the local machine.

Use the Win32_LogicalShareSecuritySetting class to get the security information. The security descriptor is retrieved using its GetSecurityDescriptor method. The security descriptor stores the DACL for the share.

Each ACE in the DACL is interrogated to determine its access mask and the trustee associated with that permission. I’ve given the access mask for the 3 common permissions (Read, Change, Full Control) – anything else is listed as special.  You can use the techniques in technique 51 form PowerShell and WMI or download my PAM module from codeplex (http://psam.codeplex.com/) and use Get-ShareAccessMask.

The domain and name of the trustee is put into the $user variable – it could just as easily be a group that comes through.

Create an ordered hash table with the results and output as an object.

The output will look something like this:

£> Get-SharePermission -sharename Test2April | ft -AutoSize

User                     Permissions
—-                     ———–
RSsurfacePro2\ChangeUser Change    
\Everyone                Read      
RSsurfacePro2\FullUser   FullControl

under: PowerShell and CIM, PowerShell and WMI, PowerShell V3, PowerShell v4