- Create an AWS EC2 instance with HashiCorp Terraform provider - Fri, Jul 29 2022
- Introduction to Docker Bind Mounts and Volumes - Mon, Oct 8 2018
- Managing Windows file shares with PowerShell - Mon, Aug 13 2018
Creating and managing file shares through the GUI in Windows is something most administrators should be familiar with. It's a pretty straightforward process. However, things can get out of hand pretty fast when you need to manage multiple shares across multiple computers. With PowerShell, you can easily automate the task.
Listing current file shares
Let's get started by listing the currently configured shares with Get-SmbShare.
I haven't created any file shares on this computer yet, so the command returns a list of the default shares Windows created by default. This will also return any configured hidden shares.
To target a specific share, we can use the -Name parameter to specify the name of the share we want to return and then pipe it to Select to view all the properties for that share.
Get-SmbShare -Name C$ | select *
Creating a new file share
Now let's go ahead and create a new file share. Here are the details I'm going to use for my new share:
Description: Log Files
You'll need to make sure the folder path exists prior to running this command.
New-SmbShare -Name Logs -Description "Log Files" -Path C:\Shares\Logs
Modifying share properties
Using the Set-SmbShare command, we can modify the properties of an existing share. Let's go ahead and modify the description property to specify the type of log files in this folder.
Set-SmbShare -Name Logs -Description "Application Log Files" -Force
If you tab complete through the parameters of Set-SmbShare, you can see the other share properties you can modify with this command.
Granting file share permissions
After creating the share, we can view the permissions associated with it by running Get-SmbShareAccess.
As you can see, creating the share gave the Everyone group Read access to the share. We should probably go ahead and change that to lock down the permissions so that only the users who need access to this share will have permissions.
To do this, we can use Grant-SmbShareAccess to specify the users or groups we wish to have access to the share as well as what level of access they will have. Let's start with adding an Active Directory group I have created for users who will have Read access to the Logs share called corp\LogViewers. Note that you can use tab completion on the -AccessRight parameter. The possible values for this parameter are Change, Custom, Full, and Read. For this, I'm going to select Read.
Grant-SmbShareAccess -Name Logs -AccountName corp\LogViewers -AccessRight Read
If you omit the -Force parameter, it will prompt you to confirm this action. If you would like to suppress this prompt, simply include the -Force parameter.
Now that the corp\LogViewers group has Read access, I want to add another group called corp\LogAdmins, which is going to have Change rights to the share.
Grant-SmbShareAccess -Name Logs -AccountName corp\LogAdmins -AccessRight Change -Force
Removing file share permissions
Now that the correct groups have permissions to the file share, let's remove the Everyone group. For removing a permission for a file share, we are going to use the Revoke-SmbShareAccess command. This will remove the permissions for the group we specify with the -AccountName parameter.
Revoke-SmbShareAccess -Name Logs -AccountName Everyone -Force
Denying permissions to a file share
You may need to deny specific users or groups from having access to a file share for security reasons. Any Deny permissions will supersede any Allow permissions. So even if users possess Read or Change permissions to the share, if you specifically deny them permission to that share, or if they are in a denied group, they will not be able to access that share.
To deny access for a user or group to the file share, we are going to use the Block-SmbShareAccess command. In this case, I am going to deny the group corp\AppUsers.
Block-SmbShareAccess -Name Logs -AccountName corp\AppUsers -Force
The output shows the addition of the corp\AppUsers group with an AccessControlType of Deny.
Running UnBlock-SMBShareAccess will remove the Deny permission for the user or group specified.
UnBlock-SmbShareAccess -Name Logs -AccountName corp\AppUsers -Force
Removing a file share
If you no longer have a need for a particular file share, we can use the Remove-SmbShare command. This will turn off sharing for that particular folder but will not delete the folder or any of its contents.
Subscribe to 4sysops newsletter!
Remove-SmbShare -Name Logs -Force