Change Windows network share permissions using command-line tools

Can it be done without downloading subinacl.exe at all?


Have you looked at icacls.exe and cacls.exe? (both in the System32 folder, at least on Win7)


FOR ANYONE STILL FINDING THIS QUESTION, YOU CAN USE POWERSHELL:

Grant-SmbShareAccess -Name example -AccountName Administrators -AccessRight Full -Force
Grant-SmbShareAccess -Name example -AccountName Everyone -AccessRight Change -Force

HERE IS MY ORIGINAL PRE-POWERSHELL ANSWER:

I recently needed to do this for multiple home shares in order to restrict 'Full Control'. While you could do this at NTFS level, it takes time to apply recursively, time to reverse, and tools like the ADUC MMC put the permissions back.

There doesn't seem to be a built in command line tool for managing permissions on existing shares, only during initial setup, but you can do multiple grants, so if the shares going offline for a moment is not an issue you could use:

NET SHARE example /DELETE /Y
NET SHARE example=C:\FolderPath /GRANT:Everyone,Change /GRANT:Administrators,Full /UNLIMITED /CACHE:None

But that was not an option for me, so ended up using the excellent 'SetACL.exe' tool which also has an option to target share names.

SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change"
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-5-32-544;p:full"

Note this also shows using the 'Well-known SID' for Everyone ( S-1-1-0 ) and Local Administrators ( S-1-5-32-544 ) to avoids lookups, but the name also works.

For efficiency multiple changes can be merged into a single command:

SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change" -ace "n:S-1-5-32-544;p:full"

Note the SetACL command targets the SHARE NAME and not the folder path of the share, which is normally used for NTFS permissions.


Maybe, on Windows 2003. I haven't tried it...

net share /grant 

Edit, after comment, from a Win 7 x64 machine.

Note the [/GRANT:user,[READ | CHANGE | FULL]]

C:\Users\gbn>net share /?
The syntax of this command is:

NET SHARE
sharename
          sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]]
                               [/USERS:number | /UNLIMITED]
                               [/REMARK:"text"]
                               [/CACHE:Manual | Documents| Programs | BranchCach
e | None]
          sharename [/USERS:number | /UNLIMITED]
                    [/REMARK:"text"]
                    [/CACHE:Manual | Documents | Programs | BranchCache | None]
          {sharename | devicename | drive:path} /DELETE
          sharename \\computername /DELETE


C:\Users\gbn>