All Forums
> Network Scanner
> Current topic
How to configure shared folder permissions
Started by Vinodh
Vinodh
How to configure shared folder permissions 10 August 2020, 11:06 |
Hi Team,
We are unable to access shares which have been configured in the advanced setting of the Windows servers, and would like to know if we have a configuration issue.
We enabled "Share this folder" in Properties - Sharing - Advanced Sharing, and set Share Permissions for "Everyone" to "Allow" for Full Control, Change and Read. This share has been correctly identified by NetScanner, but it appears inaccessible. In the scan result list the share has a lock icon next to it, and I'm getting "access denied".
We are unable to access shares which have been configured in the advanced setting of the Windows servers, and would like to know if we have a configuration issue.
We enabled "Share this folder" in Properties - Sharing - Advanced Sharing, and set Share Permissions for "Everyone" to "Allow" for Full Control, Change and Read. This share has been correctly identified by NetScanner, but it appears inaccessible. In the scan result list the share has a lock icon next to it, and I'm getting "access denied".
Re: How to configure shared folder permissions 10 August 2020, 11:24 |
Admin Registered: 10 years ago Posts: 886 |
The lock icon suggests that access was denied when the scanner attempted to list the share's contents. As you are also getting the access denied error, please check that folder's NTFS permissions (locally on the server, on the Security tab in the folder's properties).
The effective permissions are computed from NTFS and share permissions combined, so it it likely "Everyone" isn't allowed to read that folder at the NTFS level. For more information, here is a blog article detailing how Shares and NTFS Permissions are related and some best practices.
The effective permissions are computed from NTFS and share permissions combined, so it it likely "Everyone" isn't allowed to read that folder at the NTFS level. For more information, here is a blog article detailing how Shares and NTFS Permissions are related and some best practices.
Vinodh
Re: How to configure shared folder permissions 10 August 2020, 11:28 |
Re: How to configure shared folder permissions 10 August 2020, 11:31 |
Admin Registered: 10 years ago Posts: 886 |
In Windows, when NTFS permissions and shares are used together, the most restrictive permissions prevail. For example, if "Everyone's" NTFS permissions allow modifications while the share permissions only allow reading, the share permissions apply, because Read is more restrictive than Modify. It is possible to simplify things and work with just one set of permissions: the NTFS share permissions. For that, set the folder's share permissions to "Full Control", and then set its NTFS permissions as required.
NetScanner detects and uses effective permissions, that is those the real "Everyone" will have when accessing the shared folder.
If you just want share level permissions, those can be extracted from WMI (e.g. Win32_LogicalShareSecuritySetting).
NetScanner detects and uses effective permissions, that is those the real "Everyone" will have when accessing the shared folder.
If you just want share level permissions, those can be extracted from WMI (e.g. Win32_LogicalShareSecuritySetting).
Vinodh
Re: How to configure shared folder permissions 13 August 2020, 11:48 |
Re: How to configure shared folder permissions 13 August 2020, 12:11 |
Admin Registered: 10 years ago Posts: 886 |
You will need to write a VBScript that extracts the list of shares, gets the security settings of each share, and then outputs that information.
Below is a sample script for getting share security info. You may want to modify it further to suit your needs, then load it into NetScanner via Options - Remote Scripting and, if WMI access is enabled and configured, run the script against your devices.
This will output the list of users who have access to each share:
Below is a sample script for getting share security info. You may want to modify it further to suit your needs, then load it into NetScanner via Options - Remote Scripting and, if WMI access is enabled and configured, run the script against your devices.
'Input parameters strComputer = Input.Current 'Uncomment this line for specific user 'strUser = "domain\user" 'Uncomment this line for specific user 'strPassword = "password" 'Constants wbemImpersonationLevelImpersonate = 3 wbemAuthenticationLevelPktPrivacy = 6 'Connect to machine If Not strUser = "" Then 'Connect using user and password Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objWMI = objLocator.ConnectServer(strComputer, "root\cimv2", strUser, strPassword) objWMI.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate objWMI.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy Else 'Connect using current user Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") End If 'Get the list of shares Set colShares = objWMI.ExecQuery("SELECT Name FROM Win32_Share WHERE Type = 0") For Each objShare in colShares 'Get security settings for each share Set wmiFileSecSetting = objWMI.Get("Win32_LogicalShareSecuritySetting.Name='" & objShare.Name & "'") RetVal = wmiFileSecSetting. _ GetSecurityDescriptor(wmiSecurityDescriptor) If Err <> 0 Then Output.Write "GetSecurityDescriptor failed" _ & VBCRLF & Err.Number & VBCRLF & Err.Description End If ' Retrieve the DACL array of Win32_ACE objects. DACL = wmiSecurityDescriptor.DACL Trustees = "" For each wmiAce in DACL 'Get Win32_Trustee object from ACE Set Trustee = wmiAce.Trustee Trustees = Trustees & Trustee.Name & " " Next Output.Write "[" & objShare.Name & "]:" & Trim(Trustees) Next
This will output the list of users who have access to each share:
Vinodh
Re: How to configure shared folder permissions 21 August 2020, 11:18 |
Thank you so much for the script!
I just need a small clarification. Since the script contains the creds, my questions are:
I just need a small clarification. Since the script contains the creds, my questions are:
- The account which we are going to use, what kind of privilege the account should hold?
- If the account has higher privileges, will that be able to check the "Share permissions" of a folder that doesn't have rights to the given account?
Re: How to configure shared folder permissions 21 August 2020, 11:21 |
Admin Registered: 10 years ago Posts: 886 |
If you are running the Network Scanner as domain admin, you don't need to specify any account details. It will automatically assume your current user's context, and as a domain admin you should be able to access WMI on remote computers.
It's all about WMI configuration in your network. It is not related to who is allowed to access a share. If you get WMI queries working on your network computers (that is, you can access WMI data on your admin PC by connecting to remote PCs), then this should work.
It's all about WMI configuration in your network. It is not related to who is allowed to access a share. If you get WMI queries working on your network computers (that is, you can access WMI data on your admin PC by connecting to remote PCs), then this should work.