Security and monad

22 views
Skip to first unread message

Wesley H

unread,
Apr 28, 2006, 3:19:53 PM4/28/06
to
I am trying to get all the shared folders on my machine to tell me what
the permissions are for each on. I would like to add it to this command
that displays them but i have not found a command that will give me this
info. Also If i can I would like to output all this info to a CSV file

Here is the command I am currently using

$strComputer = "."

$colItems = get-wmiobject -class "Win32_Share" -namespace "root\CIMV2" `
-computername $strComputer


foreach ($objItem in $colItems) {
write-host "Access Mask: " $objItem.AccessMask
write-host "Allow Maximum: " $objItem.AllowMaximum
write-host "Caption: " $objItem.Caption
write-host "Description: " $objItem.Description
write-host "Installation Date: " $objItem.InstallDate
write-host "Maximum Allowed: " $objItem.MaximumAllowed
write-host "Name: " $objItem.Name
write-host "Path: " $objItem.Path
write-host "Status: " $objItem.Status
write-host "Type: " $objItem.Type
write-host
}

Bruce Payette [MSFT]

unread,
Apr 28, 2006, 4:12:09 PM4/28/06
to
This doesn't really answer your main question but a much simpler way of
getting this information is to do:

get-wmiobject win32_share | fl *

This will display all of the properties for each object retrieved. To export
the results of this wmi query to a csv file, do

get-wmiobject win32_share | export-csv shares.csv

For security information, perhaps you're more looking for

get-wmiObject Win32_LogicalShareSecuritySetting

?

-bruce

--
Bruce Payette [MSFT]
Windows PowerShell Technical Lead
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

"Wesley H" <n...@na.com> wrote in message
news:Xns97B37D71...@192.48.21.133...

Wesley H

unread,
Apr 28, 2006, 4:29:16 PM4/28/06
to
I have tried get-wmiObject Win32_LogicalShareSecuritySetting but it does
not give me who I have added in the Security Tab under the folders.

I need to be able to take the Shares of a machine, Path and Security
permissions and put those into a CSV file as a backup if i have to
recreate it.


"Bruce Payette [MSFT]" <bruc...@microsoft.com> wrote in
news:On1cIAwa...@TK2MSFTNGP04.phx.gbl:

/\/\o\/\/

unread,
Apr 28, 2006, 4:58:26 PM4/28/06
to
this entry might help,

http://mow001.blogspot.com/2005/11/replace-security-on-existing-share.html

if you have more question just ask

gr /\/\o\/\/

Wesley H

unread,
Apr 28, 2006, 5:19:31 PM4/28/06
to
That did not answer my issue I need to be able to read the shares not
change them. This script i have will give me most of the needed info
except now all I need is to find out what the Security permission are
for each share

$strComputer = "."

$colItems = get-wmiobject -class "Win32_Share" -namespace "root\CIMV2" `
-computername $strComputer


foreach ($objItem in $colItems) {
write-host "Access Mask: " $objItem.AccessMask
write-host "Allow Maximum: " $objItem.AllowMaximum
write-host "Caption: " $objItem.Caption
write-host "Description: " $objItem.Description
write-host "Installation Date: " $objItem.InstallDate
write-host "Maximum Allowed: " $objItem.MaximumAllowed
write-host "Name: " $objItem.Name
write-host "Path: " $objItem.Path
write-host "Status: " $objItem.Status
write-host "Type: " $objItem.Type
write-host
}

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:uKetSawa...@TK2MSFTNGP02.phx.gbl:

> http://mow001.blogspot.com/2005/11/replace-security-on-existing-
share.h
> tml

/\/\o\/\/

unread,
Apr 29, 2006, 8:55:01 AM4/29/06
to
Sorry, I did think that there was also a GetShareInfo Method also ,

the Trick with the Win32_LogicalShareSecuritySetting class it you need
another Method to get the Security descriptor ( from then on You can use
the Methods on the Blog to translate them.)

See :

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/getsecuritydescriptor_method_in_class_win32_logicalfilesecuritysetting.asp

Problem is that this uses an Out-variable, so with PowrShell RC1 I did
think I could use it, but i can not seem to be able get it working :

$shareSec = gwmi Win32_LogicalShareSecuritySetting -filter "name='mp3'"


MowPS>$shareSec.invokeMethod('GetSecurityDescriptor',$null)
Exception calling "InvokeMethod" with "2" argument(s): "Object reference
not set to an instance of an object."
At line:1 char:23
+ $shareSec.invokeMethod( <<<< 'GetSecurityDescriptor',$null)

MowPS>$shareSec.invokeMethod('GetSecurityDescriptor',$foo)
0

# this last one I expected to work :

MowPS>$shareSec.invokeMethod('GetSecurityDescriptor',[ref]$foo)
Argument: '2' should not be a System.Management.Automation.PSReference.
Do not use [ref].
At line:1 char:23
+ $shareSec.invokeMethod( <<<< 'GetSecurityDescriptor',[ref]$foo)


Greetings /\/\o\/\/

Jeffrey Snover [MSFT]

unread,
Apr 29, 2006, 6:02:04 PM4/29/06
to
Try this:

PS> $shareSec = gwmi Win32_LogicalShareSecuritySetting -filter "name='ps'"
PS> $sd = $shareSec.invokeMethod('GetSecurityDescriptor',$null,$null)
PS> $sd |fl [a-z]*
Descriptor : System.Management.ManagementBaseObject
ReturnValue : 0

PS> $sd.Descriptor |fl [a-z]*
ControlFlags : 32772
DACL : {System.Management.ManagementBaseObject,
System.Management.ManagementBaseObject}
Group :
Owner :
SACL :


PS> $sd.Descriptor.DACL |fl [a-z]*
AccessMask : 1179817
AceFlags : 0
AceType : 0
GuidInheritedObjectType :
GuidObjectType :
Trustee : System.Management.ManagementBaseObject

AccessMask : 2032127
AceFlags : 0
AceType : 0
GuidInheritedObjectType :
GuidObjectType :
Trustee : System.Management.ManagementBaseObject


PS> $sd.Descriptor.DACL |... Trustee
Domain :
Name : Everyone
SID : {1, 1, 0, 0...}
SidLength : 12
SIDString : S-1-1-0
__GENUS : 2
__CLASS : Win32_Trustee
__SUPERCLASS : Win32_MethodParameterClass
__DYNASTY : Win32_MethodParameterClass
__RELPATH :
__PROPERTY_COUNT : 5
__DERIVATION : {Win32_MethodParameterClass}
__SERVER :
__NAMESPACE :
__PATH :

Domain : NTDEV
Name : jsnover
SID : {1, 5, 0, 0...}
SidLength : 28
SIDString : S-1-5-21-397955417-626881126-188441444-2914647
__GENUS : 2
__CLASS : Win32_Trustee
__SUPERCLASS : Win32_MethodParameterClass
__DYNASTY : Win32_MethodParameterClass
__RELPATH :
__PROPERTY_COUNT : 5
__DERIVATION : {Win32_MethodParameterClass}
__SERVER :
__NAMESPACE :
__PATH :


--
Jeffrey Snover [MSFT]
Monad Architect
Microsoft Corporation
This posting is provided "AS IS" with no warranties, no confers rights.
"/\/\o\/\/" <n...@spam.mow> wrote in message
news:eV5u1w4a...@TK2MSFTNGP02.phx.gbl...


/\/\o\/\/

unread,
Apr 30, 2006, 6:22:01 AM4/30/06
to
@ jeffrey,

Oops, I got this back also, the Returnvalue tricked me,
in thinking I got the returncode back wrapped as management object.
I missed the Descriptor.

thanks.

@ Wesly ,
did this answer your question ?
with select and export-csv you can get the CSV export.

gr /\/\o\/\/

/\/\o\/\/

unread,
Apr 30, 2006, 7:31:29 AM4/30/06
to
this will make a CSV file of the security of

$sd.Descriptor.DACL |% {
$_ | select AccessMask,
AceFlags,
AceType,
@{e={$_.trustee.Domain};n='Domain'},
@{e={$_.trustee.Name};n='Name'},
@{e={$_.trustee.SIDString};n='SID'}
} | export-csv -noType "$share.txt"

gr /\/\o\/\/

dreeschkind

unread,
Apr 30, 2006, 1:05:01 PM4/30/06
to
"Jeffrey Snover [MSFT]" wrote:

> PS> $sd.Descriptor.DACL |... Trustee
> Domain :
> Name : Everyone
> SID : {1, 1, 0, 0...}
> SidLength : 12
> SIDString : S-1-1-0


I noticed your use of '...' to get the Trustee property object.
Since this is not an defined alias/cmdlet (at least not in PowerShell RC1),
I thought it might be a custom function in your profile. So if anyone is
interested, here is an implementation of this function, that shoud do the
same:

invoke-expression 'function global:... { param([string]$property) $input |
foreach-object { $_.$property } }';

--
greetings
dreeschkind

Wesley H

unread,
May 1, 2006, 10:11:47 AM5/1/06
to
This did not work for me here is what i did and what i got back

PS C:\test> $shareSec = gwmi Win32_LogicalShareSecuritySetting -filter
"name='b
ackup'"
PS C:\test> $sd = $shareSec.invokeMethod('GetSecurityDescriptor',$null,
$null)
PS C:\test> $sd |fl [a-z]*


Descriptor : System.Management.ManagementBaseObject
ReturnValue : 0

PS C:\test>


"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:upqFBAEb...@TK2MSFTNGP02.phx.gbl:

Wesley H

unread,
May 1, 2006, 10:37:13 AM5/1/06
to
How can I implement this into this script and ouput everything to one
CSV file?

$strComputer = "."

$colItems = get-wmiobject -class "Win32_Share" -namespace "root\CIMV2" `
-computername $strComputer


foreach ($objItem in $colItems) {
write-host "Access Mask: " $objItem.AccessMask
write-host "Allow Maximum: " $objItem.AllowMaximum
write-host "Caption: " $objItem.Caption
write-host "Description: " $objItem.Description
write-host "Installation Date: " $objItem.InstallDate
write-host "Maximum Allowed: " $objItem.MaximumAllowed
write-host "Name: " $objItem.Name
write-host "Path: " $objItem.Path
write-host "Status: " $objItem.Status
write-host "Type: " $objItem.Type
write-host
}


"/\\/\\o\\/\\/" <n...@spam.mow> wrote in news:elbb1mEbGHA.4788
@TK2MSFTNGP02.phx.gbl:

Jacques Barathon [MS]

unread,
May 1, 2006, 11:05:05 AM5/1/06
to
"Wesley H" <n...@na.com> wrote in message
news:Xns97B64D84...@192.48.21.133...

> How can I implement this into this script and ouput everything to one
> CSV file?

Try this:

PS> $strComputer = "."
PS> get-wmiobject -class "Win32_Share" -namespace "root\CIMV2" -computername
$strComputer | select [a-z]* | export-csv shares.csv

Jacques


Wesley H

unread,
May 1, 2006, 11:18:11 AM5/1/06
to
I have this part already going to a CSV file now all I need to have go
into the Same CSV file or another File with the Name from this first
command script with all the Security permission for each one of those
shares


"Jacques Barathon [MS]" <jbar...@online.microsoft.com> wrote in
news:#HUakCTb...@TK2MSFTNGP03.phx.gbl:

/\/\o\/\/

unread,
May 1, 2006, 2:37:20 PM5/1/06
to
Wesley H wrote:
> I have this part already going to a CSV file now all I need to have go
> into the Same CSV file


As I was working on a blog entry about your question, and had to update
the share security also, I will post the script to write them back from
the CSV file also later this week.

I came to this solution for exporting them :

$shares = gwmi Win32_Share -filter 'type=0'

$Shareinfo = @()
foreach ($share in $shares) {


$shareSec = gwmi Win32_LogicalShareSecuritySetting -filter

"name='$($share.name)'"
if($shareSec) {


$sd = $shareSec.invokeMethod('GetSecurityDescriptor',$null,$null)

$ShareInfo += $sd.Descriptor.DACL |% {
$_ | select @{e={$share.name};n='Name'},
@{e={$share.Path};n='Path'},
@{e={$share.Description};n='Description'},
AccessMask,
AceFlags,
AceType,
@{e={$_.trustee.Name};n='User'},


@{e={$_.trustee.Domain};n='Domain'},

@{e={$_.trustee.SIDString};n='SID'}
}
}Else{
$ShareInfo += $share | select Name,Path,Description
}
}

$ShareInfo | select Name,Path,Description,User,Domain,SID,
AccessMask,AceFlags,AceType | export-csv -not ShareInfo.csv


I will post it later today with some info and comments on my blog
http://mow001.blogspot.com also. and I think tomorrow the script to
re-create them.

gr /\/\o\/\/

or another File with the Name from this first


> command script with all the Security permission for each one of those
> shares

The first script did do this :

$sd.Descriptor.DACL |% {
$_ | select AccessMask,
AceFlags,
AceType,
@{e={$_.trustee.Domain};n='Domain'},
@{e={$_.trustee.Name};n='Name'},
@{e={$_.trustee.SIDString};n='SID'}

} | export-csv -noType "$shareSec.csv"

Gr /\/\o\/\/

/\/\o\/\/

unread,
May 1, 2006, 5:02:13 PM5/1/06
to

Wesley H

unread,
May 1, 2006, 5:55:46 PM5/1/06
to
I tried to run this but all it brought back was everyine in the users
field and not rights or anything or anyone under the security tab. I
need to have the CSV file show all the Security right and settings for
the share so i can print them out and save them

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:uXGHcKWb...@TK2MSFTNGP05.phx.gbl:

> http://mow001.blogspot.com/2006/05/powershell-export-shares-and-
securit
> y.html

/\/\o\/\/

unread,
May 1, 2006, 6:04:52 PM5/1/06
to
I will get this output :

..

MowPS>$ShareInfo | select Name,Path,Description,User,Domain,SID,
>> AccessMask,AceFlags,AceType | export-csv -noType $filename
>>
MowPS>gc ShareInfo.csv
Name,Path,Description,User,Domain,SID,AccessMask,AceFlags,AceType
mp3,C:\MP3,,Mow,COMPUTER,S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx,xxxxxxx,0,0

this would be all the info needed I think

gr /\/\o\/\/

/\/\o\/\/

unread,
May 1, 2006, 6:09:30 PM5/1/06
to
did to many xxx'es still need accessmask ;-)

Name,Path,Description,User,Domain,SID,AccessMask,AceFlags,AceType
mp3,C:\MP3,,Mow,COMPUTER,S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx,1179817,0,0

/\/\o\/\/ wrote:
> I will get this output :
>

> ...


>
> MowPS>$ShareInfo | select Name,Path,Description,User,Domain,SID,
> >> AccessMask,AceFlags,AceType | export-csv -noType $filename
> >>
> MowPS>gc ShareInfo.csv
> Name,Path,Description,User,Domain,SID,AccessMask,AceFlags,AceType

> mp3,C:\MP3,,Mow,COMPUTER,S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx,1179817,0,0

/\/\o\/\/

unread,
May 1, 2006, 6:28:04 PM5/1/06
to
if you want them human readable :

MowPS>[System.Security.AccessControl.FileSystemRights]1179817
ReadAndExecute, Synchronize

(or use the list in the comments of the
http://mow001.blogspot.com/2005/11/replace-security-on-existing-share.html
example

Wesley H

unread,
May 2, 2006, 10:22:41 AM5/2/06
to
This still does not get what I need. I have attached a Bitmap of what I
need and when I have tried all the things that are here all I get is this

PS C:\test> gc ShareInfo.csv
Name,Path,Description,User,Domain,SID,AccessMask,AceFlags,AceType
Server,C:\MSDN\Server,,Everyone,,S-1-1-0,1179817,0,0
Backup,C:\Backup,,Everyone,,S-1-1-0,1179817,0,0

In the Folder Backup I am missing all the other security permission for the
folers.


"/\\/\\o\\/\\/" <n...@spam.mow> wrote in

news:ueoda6Wb...@TK2MSFTNGP05.phx.gbl:

Wesley H

unread,
May 2, 2006, 10:25:25 AM5/2/06
to
This still does not get what I need. I have attached a Bitmap of what I
need and when I have tried all the things that are here all I get is this

PS C:\test> gc ShareInfo.csv
Name,Path,Description,User,Domain,SID,AccessMask,AceFlags,AceType
Server,C:\MSDN\Server,,Everyone,,S-1-1-0,1179817,0,0
Backup,C:\Backup,,Everyone,,S-1-1-0,1179817,0,0

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in

news:ueoda6Wb...@TK2MSFTNGP05.phx.gbl:

/\/\o\/\/

unread,
May 2, 2006, 1:56:57 PM5/2/06
to
that is not the share security but the directory security, you need the
win32_directory and win32_LogicalFileSecuritySetting :

you can go on from the path like this :

(gwmi Win32_LogicalFileSecuritySetting -filter "path = 'g:\\mp3'")

Note the escaping of the slash (WMI stype)

from there on it is the same as the share-security example.

this way you can you can show related classes from the win32_directory
class :

(gwmi win32_directory -filter "name = 'g:\\mp3'").GetRelationships()

presuming this is remote, otherwise you do not need to use WMI and can
use the filesystem provider.

Greetings /\/\o\/\/

Wesley H

unread,
May 2, 2006, 2:29:16 PM5/2/06
to
That sounds like what I need. Now is there a way to inplement it into
your share security script and also add the directory security script
in. I am trying to run this on the local machine and I do not want to
have to manually enter in each share

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in

news:OtCRlHhb...@TK2MSFTNGP05.phx.gbl:

/\/\o\/\/

unread,
May 2, 2006, 2:51:35 PM5/2/06
to
if you work from the path property of the share the examples in last
reply and add other loop doing the same as the shares you could add it
the same way, or make a copy of the script feeding it the path
properties it's just more of the same.

I'm also busy posting the second part on my blog about importing the
shares again from the created CSV files this post might help also.

for working localy with ACL's try a search for ACL on my blog or MSH for
Fun there is a lot of info about it.

should be enough to get you going

gr /\/\o\/\/

Wesley H

unread,
May 2, 2006, 5:12:41 PM5/2/06
to
This works manually but there is still one problem. I use a $share.path in
my script and apperantly this line below needs to have the double \\ is
there a way to append my $share.path to add in after the second character
to put in an additional \ into the line

(gwmi Win32_LogicalFileSecuritySetting -filter "path = 'g:\\mp3'")


My script has this line
(gwmi Win32_LogicalFileSecuritySetting -filter "path = '$($share.path)'")

the $share.path puts out a line that has c:\backup. I need it to put out c:
\\Backup

/\/\o\/\/

unread,
May 2, 2006, 5:17:45 PM5/2/06
to

MowPS>$share.path
C:\Foo
MowPS>$share.path.replace("\","\\")
C:\\Foo

gr /\/\o\/\/

PS as blogger is not working my post comes later

/\/\o\/\/

unread,
May 2, 2006, 5:42:49 PM5/2/06
to

Wesley H

unread,
May 2, 2006, 6:16:44 PM5/2/06
to
What can be put in the script that will take the accessmask number from
what the script has and also run the

[System.Security.AccessControl.FileSystemRights] auto insert the number and
output to the CSV file to read under a tab called Rights

/\/\o\/\/

unread,
May 2, 2006, 6:24:25 PM5/2/06
to


@{e={[System.Security.AccessControl.FileSystemRights]$_.AccessMask};n='Rights'},

Wesley H

unread,
May 3, 2006, 10:09:39 AM5/3/06
to
I tried this line and this is what the display shows
At C:\test\share.ps1:21 char:18
+ $_ | select <<<< @{e={$share.name};n='Name'},
Select-Object : Cannot convert value "268435456" to type
"System.Security.Acces
sControl.FileSystemRights" due to invalid enumeration values. The
possible enum
eration values are "ListDirectory, ReadData, WriteData, CreateFiles,
CreateDire
ctories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes,
Traverse,
ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes,
WriteAttributes, Wr
ite, Delete, ReadPermissions, Read, ReadAndExecute, Modify,
ChangePermissions,
TakeOwnership, Synchronize, FullControl".

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:e8NPDdj...@TK2MSFTNGP05.phx.gbl:

/\/\o\/\/

unread,
May 3, 2006, 12:41:56 PM5/3/06
to
can you post the complete line ?
the error is not really informative here (as the part where it goes
wrong is not shown.

I wonder where you did get the number 268435456 from its to big.

gr /\/\o\/\/

/\/\o\/\/

unread,
May 3, 2006, 12:47:55 PM5/3/06
to
works here :

MowPS>1 | select
{'foo'},@{e={[System.Security.AccessControl.FileSystemRights]((gwmi
Win32_LogicalShareSecuritySetting -filter "name='foo'")
.invokeMethod('GetSecurityDescriptor',$null,$null).descriptor.dacl[0].AccessMask)};n='rights'}

'foo'
rights
-----
------
foo
ReadAndExecute, Synchronize

Wesley H

unread,
May 3, 2006, 1:11:21 PM5/3/06
to
It will work for me except when it hits the line that the CSV shows the
AccessMask as 268435456. This is windows XP I am testing on the second
line works fine


AccessMask
Server C:\MSDN\Server CREATOR OWNER S-1-3-0 268435456 27 0

AccessMask
Server C:\MSDN\Server BUILTIN Users S-1-5-32-545 1179817 19 0
ReadAndExecute, Synchronize

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:ONYprFtb...@TK2MSFTNGP02.phx.gbl:

/\/\o\/\/

unread,
May 3, 2006, 1:53:49 PM5/3/06
to
Hmm, interesting

this is an other kind of full control (for Creator Owner)
also if I do this not with WMI I do not get a value :


MowPS>(gi
c:\foo).GetAccessControl().GetAccessRules($true,$true,[security.principal.ntaccount])
| ft -a FileSystemRights,IdentityReference

FileSystemRights IdentityReference
---------------- -----------------
FullControl BUILTIN\Administrators
FullControl NT AUTHORITY\SYSTEM
FullControl Computer\Mow
268435456 CREATOR OWNER
ReadAndExecute, Synchronize BUILTIN\Users
AppendData BUILTIN\Users
CreateFiles BUILTIN\Users

you could Trap the error, and output the value (as .NET seems to do).

but you will not recreate it yourself anyway I think also try this :

(gi
c:\foo).GetAccessControl().GetAccessRules($true,$true,[security.principal.ntaccount])

to get other things to notice here

I'm not completely sure about the exact difference but I did find a good
article here :
http://www.grimes.demon.co.uk/workshops/secWSNine.htm

/\/\o\/\/

unread,
May 3, 2006, 2:11:43 PM5/3/06
to
as you never will need to create the all right, and only need to
re-create the non-Inherited, if you go for the Powershell (local) way,
only getting them will get you going :


MowPS>(gi
c:\foo).GetAccessControl().GetAccessRules($true,$false,[security.principal.ntaccount])


FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : CP340339-A\MowTest
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None

gr /\/\o\/\/

/\/\o\/\/ wrote:

/\/\o\/\/

unread,
May 3, 2006, 2:29:15 PM5/3/06
to
gi
c:\foo).GetAccessControl().GetAccessRules($true,$false,[security.principal.ntaccount])

hmm, did I forget something ?

(get-acl G:\foo).access

anyway also here the 268435456 value

Wesley H

unread,
May 3, 2006, 3:31:01 PM5/3/06
to
How would something like this be automated in the script and then
outputed to a file?

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:#e1yT#tbGHA...@TK2MSFTNGP02.phx.gbl:

> gi
> c:\foo).GetAccessControl().GetAccessRules($true,$false,
[security.princi

/\/\o\/\/

unread,
May 4, 2006, 2:35:27 PM5/4/06
to
actually the examples on my blog will work remote as they are using WMI.
they just need some small changes :

In the Export Shares example :
http://mow001.blogspot.com/2006/05/powershell-export-shares-and-security.html

the change would be this :

$server = "server"
$shares = gwmi Win32_Share -filter 'type=0' -computer $server

In the Import Example :

http://mow001.blogspot.com/2006/05/powershell-import-shares-and-security.html

the change would be this :

$server = "server"
$mp = new-object system.management.Managementpath
$mp.server = $server
$mp.NamespacePath = "root\cimv2"
$mp.ClassName = 'win32_share'
$MC = new-object system.management.ManagementClass $mp


in your example with those changes you will backup the Directory
security, so you want to recreate the directories only ?
You might want to take the owner also ?.
and filter on ace-type for adding rights again ( do you want rights on
subdirectories ?

this is not as trivial as shares example as there security is much
simpler constructed, but it is doable.

as mentioned before there are also some ACL examples on the "PowerShell
for Fun" blog http://mshforfun.blogspot.com/ and mine.

and of course this excellent article I mentioned :

http://www.grimes.demon.co.uk/workshops/secWSNine.htm

it gives a really great description of the .NET file security classes !!
(a very recommended workshop b.t.w. for .NET security in whole !)

but maybe secedit or the "security and configuration" snapin are better
suited for the kind of job you want to do.

gr /\/\o\/\/

Wesley H wrote:
> I got what I need for this script for now but I also need it to work on
> W2k. How can I get this to work on Win2K can I run a command in
> powershell that will export to a VBS the W2k will have .net 2.0 and I
> need to run this script on that. I attached the script if anyone can
> tell me how to get it to a VB script


>
> "/\\/\\o\\/\\/" <n...@spam.mow> wrote in
> news:e8NPDdj...@TK2MSFTNGP05.phx.gbl:
>

Wesley H

unread,
May 4, 2006, 5:11:33 PM5/4/06
to
If I remove the -filter 'type=0' from this line below I get this error. I
want every share that is on the machine even the c$ and the IPC$

> $shares = gwmi Win32_Share -filter 'type=0'


Select-Object : A parameter cannot be found that matches parameter name
'.'.
At C:\share\fd.ps1:22 char:18
+ $_ | select <<<< @{e={$share.name};n='Name'},
Select-Object : A parameter cannot be found that matches parameter name
'.'.
At C:\share\fd.ps1:22 char:18
+ $_ | select <<<< @{e={$share.name};n='Name'},
Select-Object : A parameter cannot be found that matches parameter name
'.'.
At C:\share\fd.ps1:22 char:18
+ $_ | select <<<< @{e={$share.name};n='Name'},

/\/\o\/\/

unread,
May 4, 2006, 5:19:13 PM5/4/06
to
there is no direcory for IPC$ , also you can not list the security for
the admin shares (c$ d$ etc), these are special shares.

Hence the filter

gr /\/\o\/\/

Wesley H

unread,
May 4, 2006, 5:32:54 PM5/4/06
to
how do you list admin shares then some are missing from this list

"/\\/\\o\\/\\/" <n...@spam.mow> wrote in
news:emSO#B8bGH...@TK2MSFTNGP02.phx.gbl:

Wesley H

unread,
May 5, 2006, 10:13:37 AM5/5/06
to
> in your example with those changes you will backup the Directory
> security, so you want to recreate the directories only ?
Yes I want Directories only since most Sub directories get there
inheritance from the directories

> You might want to take the owner also ?. The Owner is administrator on
all the shares

> and filter on ace-type for adding rights again ( do you want rights on
> subdirectories ?

how does that filter work

> but maybe secedit or the "security and configuration" snapin are
> better suited for the kind of job you want to do.

I have tried these and have not had luck getting them to work correclty for
the shares

Reply all
Reply to author
Forward
0 new messages