[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How to modify existing CIFS share permissions

Posted on 2014-08-07
Medium Priority
Last Modified: 2014-08-11
I would like to modify permissions on a number of NetApp CIFS shares (over 100). These are user shares and each share has a different user account with "Change" share permission, this permission now needs to be "Full Control".

I also need to be able to add a new group to these shares and give that group "Full Control" and finally I need to remove a group "Domain Admins" that has already been given permissions to the shares.

So far I've only worked out how to view the share permissions:

Get-NaCifsShareAcl -Share usrtest01 | select ShareName -ExpandProperty UserAclInfo
Question by:carbonbase
  • 3
  • 2
LVL 18

Expert Comment

by:Emmanuel Adebayo
ID: 40245676
Have you tried to use icacls


Author Comment

ID: 40245736
I'm trying to modify share permissions, I believe icacls works with NTFS permissions

Author Comment

ID: 40245874
What I have at the moment is this...
share name:           abc1
permission 1:          mydomain\user 1                      change
permission 2:          mydomain\domain admins        full control
share name:          abc2
permission 1:         mydomain\user 2                     change
permission 2:         mydomain\domain admins     full control
What I want to end up with is this....
share name:            abc1
permission 1:          mydomain\user 1                 full control
permission 2:          mydomain\new group          full control
share name:            abc2
permission 1:          mydomain\user 2                 full control
permission 2:          mydomain\new group          full control
I think maybe the easiest way to get what I want would be to enumerate the share permissions and for any user account that is not Domain Admins, change its share permission to "full control" then remove Domain Admins and add my new group giving it "full control" as well.  But if anyone has any better ideas please let me know
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 40

Expert Comment

ID: 40245907
You could use Set-NaCifsShareAcl & Remove-NaCifsShareAcl cmdlets to modify permissions.. For the bulk modification do you want it to run against all shares or for a particular list of shares?

Set-NaCifsShareAcl -Share abc2 -User "mydomain\new group" -AccessRights "Full Control"

Remove-NaCifsShareAcl -Share abc2 -User "mydomain\domain admins"

Open in new window

Here is more details..
LVL 40

Accepted Solution

Subsun earned 2000 total points
ID: 40248501
Here is a sample code which comp through all shares and make required changes and save the report to a csv file..
Connect-nacontroller "ControllerName"

Get-NaCifsShareAcl | select ShareName -ExpandProperty UserAclInfo | % {
$AccessRights = $_.AccessRights;$ShareName = $_.ShareName;$UserName = $_.UserName

Write-Host "Working on $ShareName"
	If ($AccessRights -eq "change"){
	#Set the AccessRights to Full Control
	Set-NaCifsShareAcl -Share $ShareName -User $UserName -AccessRights "Full Control" -ErrorAction Stop
		 New-Object PSobject -Property @{ShareName = $ShareName;UserName = $UserName;AccessRights = "Updated"}
	 New-Object PSobject -Property @{ShareName = $ShareName;UserName = $UserName;AccessRights = "Not Updated"}
	If ($UserName -eq "mydomain\domain admins"){
	#Remove the mydomain\domain admins permission from share
	Remove-NaCifsShareAcl -Share $ShareName -User "mydomain\domain admins" -ErrorAction Stop
		 New-Object PSobject -Property @{ShareName = $ShareName;UserName = $UserName;AccessRights = "Updated"}
	 New-Object PSobject -Property @{ShareName = $ShareName;UserName = $UserName;AccessRights = "Not Updated"}
}| Select ShareName,UserName,AccessRights | Export-Csv C:\Test\Report.csv -nti

Open in new window

PS : Test the code thoroughly in lab before run it in production..

Author Closing Comment

ID: 40252751
Thanks very much for this.  I've added

Where-Object {$_.MountPoint -like "/vol/users"}

to your code so that only the user shares are modified.


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question