Posted on Feb 6

Check which shared folders a user has relevant permissions on, and remove those permissions

Viewing User Permissions on Shared Folders and Removing Relevant Permissions

To view the shared folder permissions and security permissions that a user has, and to remove these permissions when necessary, can sometimes be challenging, especially when there is a need to change permissions through a communication or management software workflow. Often, the difficulty arises from not having a clear understanding of the existing permissions that members have across various folders. To address this, a script can be used to automatically list the specific information regarding a user's shared folder and security permissions.

# Configure Domain $domain = "CSXZX" $userName = Read-Host "Enter the target username (username)" # Input username $userName = "$domain\$userName" # Create full username # Get User's Shared Permissions Write-Host "Checking shared permissions for $($userName):" $shares = Get-SmbShare if (-not $shares) { Write-Host "No shared folders found." } else { $shares | ForEach-Object { $shareName = $_.Name $access = Get-SmbShareAccess -Name $shareName | Where-Object { $_.AccountName -eq $userName } if ($access) { $access | ForEach-Object { Write-Host "$($userName) has the following permissions in shared folder '$shareName': $($_.AccessControlType) $($_.AccessRight)" } } else { Write-Host "$($userName) has no permissions in shared folder '$shareName'." } } } # Get User's NTFS Permissions Write-Host "`nChecking NTFS permissions for $($userName):" $shares | ForEach-Object { $folderPath = $_.Path if ($folderPath -and (Test-Path $folderPath)) { # Check if the path is not empty and exists $acl = Get-Acl -Path $folderPath $userAccess = $acl.Access | Where-Object { $_.IdentityReference -eq $userName } if ($userAccess) { $userAccess | ForEach-Object { Write-Host "$($userName) has the following NTFS permissions in '$folderPath': $($_.AccessControlType) $($_.FileSystemRights)" } } else { Write-Host "$($userName) has no NTFS permissions in '$folderPath'." } } else { Write-Host "Folder path '$folderPath' does not exist or is inaccessible." } } Write-Host "`nCheck completed."

Removing a User's Shared Folder and Security Permissions

Based on the shared name provided by the user, the script locates the relevant files and then removes the user's NTFS permissions using the -RemoveAccessRule parameter. For shared permissions, the Revoke-SmbShareAccess command is used to directly revoke access.

# Configure Domain $domain = "CSXZX" # Prompts the user to input the username and shared folder name $userName = Read-Host "Please enter the target username (username only)" # Enter only the username $shareName = Read-Host "Please enter the shared folder name" # Enter the shared folder name # Construct the full username $userName = "$domain\$userName" # Retrieve the shared folder path $folderPath = (Get-SmbShare -Name $shareName).Path # Remove NTFS permissions $acl = Get-Acl -Path $folderPath $acl.Access | Where-Object { $_.IdentityReference -eq $userName } | ForEach-Object { $acl.RemoveAccessRule($_) } Set-Acl -Path $folderPath -AclObject $acl Write-Host "Successfully removed NTFS permissions for $userName" # Remove shared permissions Revoke-SmbShareAccess -Name $shareName -AccountName $userName -Force Write-Host "Successfully removed shared permissions for $userName"

Removing All Shared Folder Permissions Associated with a User

The script uses Get-SmbShare to retrieve all shared folders, excluding system-level shared folders, and then iterates through them to remove all folder permissions associated with the user. Additionally, a manual exclusion list can be created to prevent the removal of permissions from folders that should not be affected.

# Configure Domain $domain = "CSXZX" $userName = Read-Host "Please enter the target username (username)" # Enter username $excludeShares = Read-Host "Please enter the shared folders to exclude (separated by commas, leave blank to remove all shared folders by default)" # Default excluded shared folders $defaultExcludeShares = @("ADMIN$", "C$", "IPC$", "NETLOGON", "SYSVOL") # Construct the full username $userName = "$domain\$userName" # Get all shared folders $shares = Get-SmbShare # Filter out the shared folders to exclude if ($excludeShares) { $excludeSharesList = ($excludeShares -replace "、", ",").Split(",") $excludeSharesList += $defaultExcludeShares # Merge default excluded shared folders $shares = $shares | Where-Object { $excludeSharesList -notcontains $_.Name } } else { # If no shared folders are specified for exclusion, use the default exclusion list $shares = $shares | Where-Object { $defaultExcludeShares -notcontains $_.Name } } # Iterate through all shared folders and remove user permissions foreach ($share in $shares) { # Check if the user has shared folder permissions $access = Get-SmbShareAccess -Name $share.Name | Where-Object { $_.AccountName -eq $userName } if ($access) { # Remove shared folder permissions Revoke-SmbShareAccess -Name $share.Name -AccountName $userName -Force Write-Host -ForegroundColor Green "Removed $userName's shared folder permissions for '$($share.Name)'" } else { Write-Host "$userName does not have shared folder permissions for '$($share.Name)', no action required" } # Get the folder path and remove NTFS permissions $folderPath = $share.Path $acl = Get-Acl -Path $folderPath $userAccess = $acl.Access | Where-Object { $_.IdentityReference -eq $userName } if ($userAccess) { # Remove the user's NTFS permissions $userAccess | ForEach-Object { $acl.RemoveAccessRule($_) } Set-Acl -Path $folderPath -AclObject $acl Write-Host -ForegroundColor Green "Removed $userName's NTFS permissions for '$folderPath'" } else { Write-Host "$userName does not have NTFS permissions for '$folderPath', no action required" } } Write-Host "Permission removal completed"