Change Windows network share permissions using command-line tools
Old question, but I recently needed to do this for multiple home shares in order to restrict 'Full Control'. While you could do this at NTFS level, it takes time to apply recursivly, time to reverse, and tools like the ADUC MMC can put the permissions back.
There doesn't seem to be a built in command line tool for managing permissions on existing shares, only during initial setup, but you can do multiple grants, so if the shares going offline for a moment is not an issue you could use:
NET SHARE example /DELETE /Y
NET SHARE example=C:\FolderPath /GRANT:Everyone,Change /GRANT:Administrators,Full /UNLIMITED /CACHE:None
But that was not an option for me, so ended up using the excellent 'SetACL.exe' tool which also has an option to target share names.
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change"
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-5-32-544;p:full"
Note this is using the 'Well-known SID' for Everyone ( S-1-1-0 ) and Local Administrators ( S-1-5-32-544 ). You could use the name, but it avoids lookups and any chance of it being mixed up with a domain group.
For efficiency multiple changes can be merged into a single command:
SetACL.exe -on "example" -ot shr -actn ace -ace "n:S-1-1-0;p:change" -ace "n:S-1-5-32-544;p:full"
Note the SetACL command targets the SHARE NAME and not the folder path of the share, which is normally used for NTFS permissions.
Maybe, on Windows 2003. I haven't tried it...
net share /grant
Edit, after comment, from a Win 7 x64 machine.
Note the [/GRANT:user,[READ | CHANGE | FULL]]
C:\Users\gbn>net share /?
The syntax of this command is:
NET SHARE
sharename
sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]]
[/USERS:number | /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual | Documents| Programs | BranchCach
e | None]
sharename [/USERS:number | /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual | Documents | Programs | BranchCache | None]
{sharename | devicename | drive:path} /DELETE
sharename \\computername /DELETE
C:\Users\gbn>
Have you looked at icacls.exe
and cacls.exe
? (both in the System32
folder, at least on Win7)