Change Windows network share permissions using command-line tools

Old question, but I recently needed to do this for multiple home shares in order to restrict 'Full Control'. While you could do this at NTFS level, it takes time to apply recursivly, time to reverse, and tools like the ADUC MMC can put the permissions back.

There doesn't seem to be a built in command line tool for managing permissions on existing shares, only during initial setup, but you can do multiple grants, so if the shares going offline for a moment is not an issue you could use:

NET SHARE example /DELETE /Y
NET SHARE example=C:\FolderPath /GRANT:Everyone,Change /GRANT:Administrators,Full /UNLIMITED /CACHE:None

But that was not an option for me, so ended up using the excellent 'SetACL.exe' tool which also has an option to target share names.

SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change"
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-5-32-544;p:full"

Note this is using the 'Well-known SID' for Everyone ( S-1-1-0 ) and Local Administrators ( S-1-5-32-544 ). You could use the name, but it avoids lookups and any chance of it being mixed up with a domain group.

For efficiency multiple changes can be merged into a single command:

SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change" -ace "n:S-1-5-32-544;p:full"

Note the SetACL command targets the SHARE NAME and not the folder path of the share, which is normally used for NTFS permissions.


Maybe, on Windows 2003. I haven't tried it...

net share /grant 

Edit, after comment, from a Win 7 x64 machine.

Note the [/GRANT:user,[READ | CHANGE | FULL]]

C:\Users\gbn>net share /?
The syntax of this command is:

NET SHARE
sharename
          sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]]
                               [/USERS:number | /UNLIMITED]
                               [/REMARK:"text"]
                               [/CACHE:Manual | Documents| Programs | BranchCach
e | None]
          sharename [/USERS:number | /UNLIMITED]
                    [/REMARK:"text"]
                    [/CACHE:Manual | Documents | Programs | BranchCache | None]
          {sharename | devicename | drive:path} /DELETE
          sharename \\computername /DELETE


C:\Users\gbn>

Have you looked at icacls.exe and cacls.exe? (both in the System32 folder, at least on Win7)