Share Permissions – changing

So far you’ve seen how to read, remove and add permissions to a share.  The final scenario to be covered is modifying a permission.

The functions I’ve presented to date only enable you to set Allow permissions on a share. I’ll be covering Deny permissions in later posts. This mimics the way that I tend to develop functionality – get part working then add more in increments until you have what you need.

For now this is function will enable you to modify permissions on a share:

#requires -Version 3.0
function Set-SharePermission {
param (

  [string]$domain = $env:COMPUTERNAME,


  [ValidateSet(“Read”, “Change”, “FullControl”)]
  [string]$permission = “Read”,

  [string]$computername = $env:COMPUTERNAME

switch ($permission) {
   ‘Read’        {$accessmask = 1179817}
   ‘Change’      {$accessmask = 1245631}
   ‘FullControl’ {$accessmask = 2032127}

$tclass = [wmiclass]”\\$computername\root\cimv2:Win32_Trustee”
$trustee = $tclass.CreateInstance()
$trustee.Domain = $domain
$trustee.Name = $trusteeName

$aclass = [wmiclass]”\\$computername\root\cimv2:Win32_ACE”
$ace = $aclass.CreateInstance()
$ace.AccessMask = $accessmask
$ace.AceFlags = 0
$ace.AceType = 0
$ace.Trustee = $trustee

$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'” -ComputerName $computername
$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor |
select -ExpandProperty Descriptor

$sclass = [wmiclass]”\\$computername\root\cimv2:Win32_SecurityDescriptor”
$newsd = $sclass.CreateInstance()
$newsd.ControlFlags = $sd.ControlFlags

foreach ($oace in $sd.DACL){

if (($oace.Trustee.Name -eq $trusteeName) -AND ($oace.Trustee.Domain -eq $domain) ) {
    $newsd.DACL += $oace
$newsd.DACL += $ace

$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename'” -ComputerName $computername

} # end function

If you compare this to the Add-SharePermission and Remove-SharePermission you’ll see that the Set-SharePermission is really the Add-SharePermission function with the code to add the old ACE to the new DACL modified to be similar to Remove-SharePermission.

if (($oace.Trustee.Name -eq $trusteeName) -AND ($oace.Trustee.Domain -eq $domain) ) {
    $newsd.DACL += $oace

The code loops through the old ACEs and as long as the name AND domain don’t match the trustee for whom you’re changing permissions they’re added to the new DACL.  In other worlds the old permissions for the trustee are removed from the DACL.

This entry was posted in CIM, PowerShell and WMI, PowerShell V3, PowerShell v4. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s