- SystoLOCK in review: Logging in to Active Directory with multi-factor authentication without passwords - Tue, Dec 5 2023
- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
Use the Get-SmbShare cmdlet to see which shares a file server offers in the first step. If you invoke it without parameters, then it only shows the file shares of the local computer.
List shares on a remote server
However, if you want to display the shares of a remote server, it does not support the ComputerName parameter. Instead, you have to create a CIM session:
$cim = New-CimSession -ComputerName server1 -Credential user@contoso.com Get-SmbShare -CimSession $cim
In addition to user-specific shares, the output also contains administrative shares, such as c$ or ADMIN$ by default. This can be disabled with the Special parameter.
Get-SmbShare -Special $false
Display shares on a remote computer
Alternatively, Get-FileShare is available for this purpose. It can capture not only SMB but also NFS shares:
Get-FileShare -CimSession $cim -Protocol NFS
Query share permissions
Before connecting, it is interesting to know what permissions are configured for a share:
Get-SmbShareAccess -Name PubDocs -CimSession $cim
This example queries the above remote server for access permissions to a share named PubDocs.
Query access rights on a remote share
Connect to the network drive
If you want to see which mappings for network drives already exist, then invoke Get-SmbMapping without parameters. Alternatively, you can specify a drive letter to find out which share it is mapped to:
Get-SmbMapping u:
The whole thing also works the other way around by specifying the share with RemotePath to get the local drive letter.
Map drive letters
The New-SmbMapping cmdlet assigns a drive letter to a share. It expects the local path and that of the share. In addition, you can pass it the username and password of a different account. This is not done with a credentials object, as is usually the case, but in plain text:
New-SmbMapping -LocalPath x: -RemotePath \\ds\share1 -user contoso\user -password P@ssw0rd -SaveCredentials
Create new drive mapping with New SmbMapping
If you do not want to reenter the credentials when creating another mapping, you can save them with the SaveCredentials switch.
The Persistent switch ensures that the drive mapping is preserved beyond the current session.
With the support for QUIC and compression of network traffic, Microsoft recently introduced two interesting SMB features. Both can be enabled with PowerShell:
New-SmbMapping -LocalPath x: -RemotePath \\ds\share1 -TransportType QUIC New-SmbMapping -LocalPath x: -RemotePath \\ds\share1 -CompressData $true
QUIC requires Azure Edition to be installed on the server.
Create mapping remotely
Theoretically, this operation can also be performed on a remote computer as follows:
$cim = New-CimSession -ComputerName Server1 -Credential user@contoso.com New-SmbMapping -LocalPath u: -RemotePath \\Server2\PubDocs -CimSession $cim -UserName contoso\user -Password P@ssw0rd
Run New SmbMapping from a CIM session
In this case, you set up a mapping on Server1 for a share that is on Server2. In practice, Get-SmbMapping will then probably show the status Unavailable for this mapping. The reason is a lack of permissions due to the second-hop problem.
Instead of configuring CredSSP, you can simply use Enter-PSSession to open an interactive remote session to Server1 and run New-SmbMapping in it.
Delete mapping
Finally, disconnect a drive mapping by using Remove-SmbMapping. The cmdlet only needs to know the local or remote path.
In addition, you can use UpdateProfile to make sure that Windows does not remap the drive after the next logon, but deletes it permanently:
Remove-SmbMapping x: -UpdateProfile
Summary
PowerShell provides the necessary cmdlets to display a server's existing shares and their permissions. With New-SmbMapping, you map them to a local drive letter.
Subscribe to 4sysops newsletter!
Remote use is somewhat cumbersome because the cmdlets do not support the ComputerName parameter, and you therefore have to deal with CIM sessions.
What if you want to label the mapped drive and not have the UNC remote path displayed?
I’ve actually found the Intune mapped drive generator website work best. It also supports Azure Files and item level targeting via SGs. Just input your desired drive letter, path URI or UNC, label or name, and the security group. Otis the PS1 file for you to download.
https://intunedrivemapping.azurewebsites.net/DriveMapping
Though there is limitation to the intune mapped generator and the ADMX route if you want to map a drive to a share but not use the logged user’s credentials, ie. share located on a NAS drive in a workgroup environment. I haven’t seen a solution yet to this in intune so am trying to make work deploying a win32 app to deploy a bat script until we can move to SharePoint.
Any better ideas feel free to stare.