Microsoft Virtualization Discussions

Modify CIFS share permissions

CARBONBASE
16,873 Views

I would like to modify permissions on a number of NetApp CIFS shares (over 100). These are user shares (share names do not match the user names) and each share has a different user account with "Change" share permission, this permission now needs to be "Full Control".

I also need to be able to add a new group to these shares and give that group "Full Control" and finally I need to remove a group "Domain Admins" that has already been given permissions to the shares.

So far I've only worked out how to view the share permissions:

Get-NaCifsShareAcl -Share usertest01 | select ShareName -ExpandProperty UserAclInfo

What I have at the moment is this...

share name:           abc1

permission 1:          mydomain\user 1                    change

permission 2:          mydomain\domain admin        full control

share name:          abc2

permission 1:         mydomain\user 2                  change

permission 2:         mydomain\domain admins     full control

What I want to end up with is this....

share name:            abc1

permission 1:          mydomain\user 1                full control

permission 2:          mydomain\new group          full control

share name:            abc2

permission 1:          mydomain\user 2                full control

permission 2:          mydomain\new group          full control

I think the easiest way to get what I want would be to enumerate the share permissions and for any user account that is not Domain Admins, change its share permission to "full control" then remove Domain Admins and add my new group giving it "full control" as well.

1 ACCEPTED SOLUTION

JGPSHNTAP
16,872 Views

Here's how i would skin this cat...

So you have a few requirements but I will get you started

get-nacifsshareacl | select sharename -expandproperty useraclinfo  | % {

if ($_.accessrights -eq "change") {

set-nacifsshareacl $_.sharename $_.username -accessrights "Full Control"}

}

}

You want to make your modifications there.. I can help you out more if you give us a little more detail

View solution in original post

10 REPLIES 10

JGPSHNTAP
16,873 Views

Here's how i would skin this cat...

So you have a few requirements but I will get you started

get-nacifsshareacl | select sharename -expandproperty useraclinfo  | % {

if ($_.accessrights -eq "change") {

set-nacifsshareacl $_.sharename $_.username -accessrights "Full Control"}

}

}

You want to make your modifications there.. I can help you out more if you give us a little more detail

CARBONBASE
16,824 Views

Hi you've cracked it thanks very much!

The thing I couldn't get my head around was that each of the user shares had different user account and I was focusing on that, where as the permissions were all the same and I just needed to change the permission on the account which had "Change".

I have added to your code a connection string to connected to the right filer and also a test for the share path, as well as commands to add and remove domain groups, so that my script only changes permissions on my user shares.  So my code looks like this:

Connect-NaController -Name toaster

Get-NaCifsShare | Where-Object {$_.MountPoint -like "/vol/user/folders"} | Set-NaCifsShareAcl -User "mydomain\new group" -AccessRights "Full Control" | Remove-NaCifsShareAcl -User "Domain Admins" | get-nacifsshareacl | select sharename -expandproperty useraclinfo  | % {

if ($_.accessrights -eq "change") {

set-nacifsshareacl $_.sharename $_.username -accessrights "Full Control"}

}

Thanks again!

JGPSHNTAP
16,824 Views

Wow.. The above code looks messy but if it works great.

You are querying and then setting and then looping it through foreach.. confusing

CARBONBASE
16,824 Views

I am very new to Powershell, so I may not be doing things in the most efficient way.

Any ideas for tidying up the script gratefully received.

JGPSHNTAP
16,824 Views

Ok, let's start with this.. are you trying to do lots of shares or just one?

CARBONBASE
16,824 Views

I've got around 500 shares to do.

JGPSHNTAP
16,824 Views

Ok, let me help you out...

Are they all on the same controller?  If not, do they experience all the same characterstics that we can query against..

The beauty of powershell is that its flexible and powerful, so we can script just about anything..   You want powershell to do the logic for you to make your life easy..

Let's start there and then I can ehp build your script

CARBONBASE
16,824 Views

All the shares are on the same controller

JGPSHNTAP
16,824 Views

That makes life easy...

If all the shares are changing it makes it even easier...

CARBONBASE
11,170 Views

Yes that's right, but I only want to modify the user shares, fortunately they all share the same first bit of the folder path which is why I added Get-NaCifsShare | Where-Object {$_.MountPoint -like "/vol/user/folders"} to my script

Public