Viewing User Permissions on Shared Folders and Removing Relevant Permissions
To view the shared folder permissions and security permissions that a user has, and to remove these permissions when necessary, can sometimes be challenging, especially when there is a need to change permissions through a communication or management software workflow. Often, the difficulty arises from not having a clear understanding of the existing permissions that members have across various folders. To address this, a script can be used to automatically list the specific information regarding a user's shared folder and security permissions.
# Configure Domain
$domain = "CSXZX"
$userName = Read-Host "Enter the target username (username)" # Input username
$userName = "$domain\$userName" # Create full username
# Get User's Shared Permissions
Write-Host "Checking shared permissions for $($userName):"
$shares = Get-SmbShare
if (-not $shares) {
Write-Host "No shared folders found."
} else {
$shares | ForEach-Object {
$shareName = $_.Name
$access = Get-SmbShareAccess -Name $shareName | Where-Object { $_.AccountName -eq $userName }
if ($access) {
$access | ForEach-Object {
Write-Host "$($userName) has the following permissions in shared folder '$shareName': $($_.AccessControlType) $($_.AccessRight)"
}
} else {
Write-Host "$($userName) has no permissions in shared folder '$shareName'."
}
}
}
# Get User's NTFS Permissions
Write-Host "`nChecking NTFS permissions for $($userName):"
$shares | ForEach-Object {
$folderPath = $_.Path
if ($folderPath -and (Test-Path $folderPath)) { # Check if the path is not empty and exists
$acl = Get-Acl -Path $folderPath
$userAccess = $acl.Access | Where-Object { $_.IdentityReference -eq $userName }
if ($userAccess) {
$userAccess | ForEach-Object {
Write-Host "$($userName) has the following NTFS permissions in '$folderPath': $($_.AccessControlType) $($_.FileSystemRights)"
}
} else {
Write-Host "$($userName) has no NTFS permissions in '$folderPath'."
}
} else {
Write-Host "Folder path '$folderPath' does not exist or is inaccessible."
}
}
Write-Host "`nCheck completed."
Removing a User's Shared Folder and Security Permissions
Based on the shared name provided by the user, the script locates the relevant files and then removes the user's NTFS permissions using the -RemoveAccessRule parameter. For shared permissions, the Revoke-SmbShareAccess command is used to directly revoke access.
# Configure Domain
$domain = "CSXZX"
# Prompts the user to input the username and shared folder name
$userName = Read-Host "Please enter the target username (username only)" # Enter only the username
$shareName = Read-Host "Please enter the shared folder name" # Enter the shared folder name
# Construct the full username
$userName = "$domain\$userName"
# Retrieve the shared folder path
$folderPath = (Get-SmbShare -Name $shareName).Path
# Remove NTFS permissions
$acl = Get-Acl -Path $folderPath
$acl.Access | Where-Object { $_.IdentityReference -eq $userName } | ForEach-Object {
$acl.RemoveAccessRule($_)
}
Set-Acl -Path $folderPath -AclObject $acl
Write-Host "Successfully removed NTFS permissions for $userName"
# Remove shared permissions
Revoke-SmbShareAccess -Name $shareName -AccountName $userName -Force
Write-Host "Successfully removed shared permissions for $userName"
Removing All Shared Folder Permissions Associated with a User
The script uses Get-SmbShare to retrieve all shared folders, excluding system-level shared folders, and then iterates through them to remove all folder permissions associated with the user. Additionally, a manual exclusion list can be created to prevent the removal of permissions from folders that should not be affected.
# Configure Domain
$domain = "CSXZX"
$userName = Read-Host "Please enter the target username (username)" # Enter username
$excludeShares = Read-Host "Please enter the shared folders to exclude (separated by commas, leave blank to remove all shared folders by default)"
# Default excluded shared folders
$defaultExcludeShares = @("ADMIN$", "C$", "IPC$", "NETLOGON", "SYSVOL")
# Construct the full username
$userName = "$domain\$userName"
# Get all shared folders
$shares = Get-SmbShare
# Filter out the shared folders to exclude
if ($excludeShares) {
$excludeSharesList = ($excludeShares -replace "、", ",").Split(",")
$excludeSharesList += $defaultExcludeShares # Merge default excluded shared folders
$shares = $shares | Where-Object { $excludeSharesList -notcontains $_.Name }
} else {
# If no shared folders are specified for exclusion, use the default exclusion list
$shares = $shares | Where-Object { $defaultExcludeShares -notcontains $_.Name }
}
# Iterate through all shared folders and remove user permissions
foreach ($share in $shares) {
# Check if the user has shared folder permissions
$access = Get-SmbShareAccess -Name $share.Name | Where-Object { $_.AccountName -eq $userName }
if ($access) {
# Remove shared folder permissions
Revoke-SmbShareAccess -Name $share.Name -AccountName $userName -Force
Write-Host -ForegroundColor Green "Removed $userName's shared folder permissions for '$($share.Name)'"
} else {
Write-Host "$userName does not have shared folder permissions for '$($share.Name)', no action required"
}
# Get the folder path and remove NTFS permissions
$folderPath = $share.Path
$acl = Get-Acl -Path $folderPath
$userAccess = $acl.Access | Where-Object { $_.IdentityReference -eq $userName }
if ($userAccess) {
# Remove the user's NTFS permissions
$userAccess | ForEach-Object {
$acl.RemoveAccessRule($_)
}
Set-Acl -Path $folderPath -AclObject $acl
Write-Host -ForegroundColor Green "Removed $userName's NTFS permissions for '$folderPath'"
} else {
Write-Host "$userName does not have NTFS permissions for '$folderPath', no action required"
}
}
Write-Host "Permission removal completed"
Source Code Location:
The source code for these scripts can be found at:
https://github.com/Excalibra/scripts/tree/main/d-pwsh-dc
The corresponding script names are:
- Check User Permissions on Shared Folders.ps1
- Permission Removal Template.ps1
- Remove All Shared Folder Permissions for a Users.ps1
Top comments (0)