Can it be done without downloading at all?subinacl.exe
Add a comment |
3 Answers
Have you looked at icacls.exe and cacls.exe? (both in the System32 folder, at least on Win7)
- 4These do NTFS, not shares AFAIK support.microsoft.com/kb/919240gbn– gbn2010-04-28 18:01:23 +00:00Commented Apr 28, 2010 at 18:01
- I've discovered that the "best practice" is to just set the share permissions to "Everyone" (which it is by default), and instead refine the NTFS permissions using
cacls.exe. I did not realize NTFS permissions also affect users accessing the share, so this answer gives me exactly what I need. Thank you!BlueRaja– BlueRaja2010-04-30 15:26:40 +00:00Commented Apr 30, 2010 at 15:26
FOR ANYONE STILL FINDING THIS QUESTION, YOU CAN USE POWERSHELL:
Grant-SmbShareAccess -Name example -AccountName Administrators -AccessRight Full -Force Grant-SmbShareAccess -Name example -AccountName Everyone -AccessRight Change -Force HERE IS MY ORIGINAL PRE-POWERSHELL ANSWER:
I recently needed to do this for multiple home shares in order to restrict 'Full Control'. While you could do this at NTFS level, it takes time to apply recursively, time to reverse, and tools like the ADUC MMC put the permissions back.
There doesn't seem to be a built in command line tool for managing permissions on existing shares, only during initial setup, but you can do multiple grants, so if the shares going offline for a moment is not an issue you could use:
NET SHARE example /DELETE /Y NET SHARE example=C:\FolderPath /GRANT:Everyone,Change /GRANT:Administrators,Full /UNLIMITED But that was not an option for me, so ended up using the excellent 'SetACL.exe' tool which also has an option to target share names.
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change" SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-5-32-544;p:full" Note this also shows using the 'Well-known SID' for Everyone ( S-1-1-0 ) and Local Administrators ( S-1-5-32-544 ) to avoids lookups, but the name also works.
For efficiency multiple changes can be merged into a single command:
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change" -ace "n:S-1-5-32-544;p:full" Note the SetACL command targets the SHARE NAME and not the folder path of the share, which is normally used for NTFS permissions.
Maybe, on Windows 2003. I haven't tried it...
net share /grant Edit, after comment, from a Win 7 x64 machine.
Note the [/GRANT:user,[READ | CHANGE | FULL]]
C:\Users\gbn>net share /? The syntax of this command is: NET SHARE sharename sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]] [/USERS:number | /UNLIMITED] [/REMARK:"text"] [/CACHE:Manual | Documents| Programs | BranchCach e | None] sharename [/USERS:number | /UNLIMITED] [/REMARK:"text"] [/CACHE:Manual | Documents | Programs | BranchCache | None] {sharename | devicename | drive:path} /DELETE sharename \\computername /DELETE C:\Users\gbn> 
- "The /grant option is unknown"BlueRaja– BlueRaja2010-04-28 18:34:10 +00:00Commented Apr 28, 2010 at 18:34