How to configure shared folder permissions

Started by Vinodh

Vinodh

How to configure shared folder permissions   10 August 2020, 11:06

Hi Team,

We are unable to access shares which have been configured in the advanced setting of the Windows servers, and would like to know if we have a configuration issue.

We enabled "Share this folder" in Properties - Sharing - Advanced Sharing, and set Share Permissions for "Everyone" to "Allow" for Full Control, Change and Read. This share has been correctly identified by NetScanner, but it appears inaccessible. In the scan result list the share has a lock icon next to it, and I'm getting "access denied".
SoftPerfect Support forum - Ann avatar image
Ann

Re: How to configure shared folder permissions   10 August 2020, 11:24

The lock icon suggests that access was denied when the scanner attempted to list the share's contents. As you are also getting the access denied error, please check that folder's NTFS permissions (locally on the server, on the Security tab in the folder's properties).

The effective permissions are computed from NTFS and share permissions combined, so it it likely "Everyone" isn't allowed to read that folder at the NTFS level. For more information, here is a blog article detailing how Shares and NTFS Permissions are related and some best practices.
Vinodh

Re: How to configure shared folder permissions   10 August 2020, 11:28

Okay, do I understand correctly that NetScanner will only identify NTFS permissions, not the Shares permissions?
SoftPerfect Support forum - Ann avatar image
Ann

Re: How to configure shared folder permissions   10 August 2020, 11:31

In Windows, when NTFS permissions and shares are used together, the most restrictive permissions prevail. For example, if "Everyone's" NTFS permissions allow modifications while the share permissions only allow reading, the share permissions apply, because Read is more restrictive than Modify. It is possible to simplify things and work with just one set of permissions: the NTFS share permissions. For that, set the folder's share permissions to "Full Control", and then set its NTFS permissions as required.

NetScanner detects and uses effective permissions, that is those the real "Everyone" will have when accessing the shared folder.

If you just want share level permissions, those can be extracted from WMI (e.g. Win32_LogicalShareSecuritySetting).
Vinodh

Re: How to configure shared folder permissions   13 August 2020, 11:48

It's good news that NetScanner has the functionality to extract share level permissions from WMI... Can you please point me to some document or a link that may help and explain the setup and usage of WMI for extracting Win32_LogicalShareSecuritySetting?
SoftPerfect Support forum - Ann avatar image
Ann

Re: How to configure shared folder permissions   13 August 2020, 12:11

You will need to write a VBScript that extracts the list of shares, gets the security settings of each share, and then outputs that information.

Below is a sample script for getting share security info. You may want to modify it further to suit your needs, then load it into NetScanner via Options - Remote Scripting and, if WMI access is enabled and configured, run the script against your devices.

'Input parameters
strComputer = Input.Current

'Uncomment this line for specific user
'strUser = "domain\user"

'Uncomment this line for specific user
'strPassword = "password"

'Constants

wbemImpersonationLevelImpersonate = 3
wbemAuthenticationLevelPktPrivacy = 6

'Connect to machine

If Not strUser = "" Then
  'Connect using user and password
   Set objLocator = CreateObject("WbemScripting.SWbemLocator")
   Set objWMI = objLocator.ConnectServer(strComputer, "root\cimv2", strUser, strPassword)
   objWMI.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate
   objWMI.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy
Else
  'Connect using current user
   Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
End If

'Get the list of shares
Set colShares = objWMI.ExecQuery("SELECT Name FROM Win32_Share WHERE Type = 0")

For Each objShare in colShares

'Get security settings for each share
Set wmiFileSecSetting =  objWMI.Get("Win32_LogicalShareSecuritySetting.Name='" & objShare.Name & "'")

RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)
If Err <> 0 Then
    Output.Write "GetSecurityDescriptor failed" _
    & VBCRLF & Err.Number & VBCRLF & Err.Description
End If

' Retrieve the DACL array of Win32_ACE objects.
DACL = wmiSecurityDescriptor.DACL

Trustees = ""
For each wmiAce in DACL

  'Get Win32_Trustee object from ACE
   Set Trustee = wmiAce.Trustee
   Trustees = Trustees & Trustee.Name & " "
Next

Output.Write "[" & objShare.Name & "]:" & Trim(Trustees)

Next

This will output the list of users who have access to each share:

SoftPerfect support forum
Vinodh

Re: How to configure shared folder permissions   21 August 2020, 11:18

Thank you so much for the script!
I just need a small clarification. Since the script contains the creds, my questions are:
  • The account which we are going to use, what kind of privilege the account should hold?
  • If the account has higher privileges, will that be able to check the "Share permissions" of a folder that doesn't have rights to the given account?
SoftPerfect Support forum - Ann avatar image
Ann

Re: How to configure shared folder permissions   21 August 2020, 11:21

If you are running the Network Scanner as domain admin, you don't need to specify any account details. It will automatically assume your current user's context, and as a domain admin you should be able to access WMI on remote computers.

It's all about WMI configuration in your network. It is not related to who is allowed to access a share. If you get WMI queries working on your network computers (that is, you can access WMI data on your admin PC by connecting to remote PCs), then this should work.

Sometimes you can find a solution faster if you try the forum search, have a look at the knowledge base, or check the software user manual to see if your question has already been answered.

Our forum rules are simple:

  • Be polite.
  • Do not spam.
  • Write in English. If possible, check your spelling and grammar.

Author:

Subject

A brief and informative title for your message, approximately 4–8 words:

     

Spam prevention: please enter the following code in the input field below.

 ********  ********  **     **  **      **   ******  
 **    **  **        **     **  **  **  **  **    ** 
     **    **        **     **  **  **  **  **       
    **     ******    **     **  **  **  **  **       
   **      **        **     **  **  **  **  **       
   **      **        **     **  **  **  **  **    ** 
   **      ********   *******    ***  ***    ******  

Message: