I have a trouble with getting access list for shared folders (not NTFS permissions!) through PowerShell in Windows7. I shared a folder for a list of users, but for one of they (us10151) i deny access through File-Sharing Dialog and Allow Access through NTFS Permissions Dialog window. User can't open this folder, it's ok. But when i tried to read permission for this folder, i didn't find any records with deny access. So, look for this (I have a screenshot too, but can't add it):
**icacls.exe \\pc00001\intel**
\\pc00001\intel NT AUTHORITY\SYSTEM:(OI)(CI)(F)
tstdmn\us00001:(OI)(CI)(RX)
tstdmn\Domain Users:(OI)(CI)(M)
tstdmn\us10151:(OI)(CI)(RX)
tstdmn\us00002:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
**cacls.exe \\pc00001\intel**
c:\Intel NT AUTHORITY\SYSTEM:(OI)(CI)F
tstdmn\us00001:(OI)(CI)R
tstdmn\Domain Users:(OI)(CI)C
tstdmn\us10151:(OI)(CI)R
tstdmn\us00002:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
**Get-Acl \\pc00001\intel**
Path : Microsoft.PowerShell.Core\FileSystem::\\pc00001\intel
Owner : BUILTIN\Administrators
Group : pc00001\None
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
tstdmn\Domain Users Allow Modify, Synchronize
tstdmn\us00001 Allow ReadAndExecute, Synchronize
tstdmn\us10151 Allow ReadAndExecute, Synchronize
tstdmn\us00002 Allow FullControl
Audit :
Sddl : <...>
What's wrong?
Share ACLs are defined on the share, not on the folder. icacls, cacls and Get-Acl return permissions on the latter. Use WMI for enumerating share permissions:
$permissions = @{
2032127 = 'F'
1245631 = 'M'
1179817 = 'RX'
}
$type = @{
0 = 'Allow'
1 = 'Deny'
2 = 'Audit'
}
gwmi Win32_Share -Filter 'Type=0' | % {
"{0}:`t{1}" -f $_.Name, $_.Path
gwmi Win32_LogicalShareSecuritySetting -Filter "Name='$($_.Name)'" | % {
$_.GetSecurityDescriptor().Descriptor.DACL | % {
"`t{0} {1} {2}" -f $_.Trustee.Name, $type[[int]$_.AceType],
$permissions[[int]$_.AccessMask]
}
}
}
The filter Type=0 suppresses administratives shares.