How to Create SMB Share with Specific Permissions Using Windows PowerShell


2 views

Creating shared folders with proper permissions is fundamental for Windows system administration. PowerShell provides powerful cmdlets to accomplish this without using the GUI. Let's explore how to create an SMB share and configure its access permissions programmatically.

Before proceeding, ensure you have:

  • Administrative privileges on the target machine
  • PowerShell 5.1 or later (Windows PowerShell or PowerShell 7 with Windows compatibility)
  • The File Server role installed (if working on Windows Server)

The primary cmdlet we'll use is New-SmbShare, which creates a new SMB share with various configuration options:

# Create a basic read-only share
New-SmbShare -Name "public" -Path "C:\shares\foo" -ReadAccess "DOMAIN1\Users"

After creating the share, verify its existence and properties:

# Check if share exists
Get-SmbShare -Name "public" | Format-List *

# View share permissions
Get-SmbShareAccess -Name "public"

For more granular control, you can specify different access levels:

# Create share with multiple permission sets
New-SmbShare -Name "public" -Path "C:\shares\foo" -FullAccess "DOMAIN1\Admins" 
    -ChangeAccess "DOMAIN1\Editors" -ReadAccess "DOMAIN1\Users"

To adjust permissions after creation:

# Grant additional permissions
Grant-SmbShareAccess -Name "public" -AccountName "DOMAIN1\Guests" -AccessRight Read -Force

# Revoke permissions
Revoke-SmbShareAccess -Name "public" -AccountName "DOMAIN1\Guests" -Force

Here's a robust implementation with proper error handling:

try {
    # Check if share already exists
    if (-not (Get-SmbShare -Name "public" -ErrorAction SilentlyContinue)) {
        $shareParams = @{
            Name = "public"
            Path = "C:\shares\foo"
            ReadAccess = "DOMAIN1\Users"
            Description = "Public read-only share"
            EncryptData = $true
        }
        New-SmbShare @shareParams
        Write-Host "Share created successfully with read-only permissions for DOMAIN1\Users"
    }
    else {
        Write-Warning "Share 'public' already exists"
    }
}
catch {
    Write-Error "Failed to create share: $_"
}
  • Share permissions are different from NTFS permissions (you need both properly configured)
  • For security, consider enabling SMB encryption with -EncryptData $true
  • Use -Temporary parameter for shares that shouldn't persist after reboot
  • Remember that share names are case-insensitive in Windows

Before diving into the PowerShell implementation, it's crucial to distinguish between two permission layers in Windows:

  • Share-level permissions: Control access through the SMB protocol
  • NTFS permissions: Control access at filesystem level

For complete security, both should be configured properly. The following solution focuses specifically on share-level permissions.

Ensure you have:

# Administrative privileges
$admin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
if (!$admin) { throw "Run as Administrator" }

# FileServer role installed
if ((Get-WindowsFeature FS-FileServer).Installed -eq $false) {
    Install-WindowsFeature FS-FileServer -IncludeManagementTools
}

Here's the complete solution for creating a share named "public" at C:\shares\foo with read-only access for DOMAIN1\Users:

# Define parameters
$shareName = "public"
$localPath = "C:\shares\foo"
$readOnlyGroup = "DOMAIN1\Users"

# Create directory if it doesn't exist
if (!(Test-Path $localPath)) {
    New-Item -ItemType Directory -Path $localPath -Force | Out-Null
}

# Create the SMB share
New-SmbShare -Name $shareName 
             -Path $localPath 
             -FullAccess "Administrators" 
             -ReadAccess $readOnlyGroup 
             -FolderEnumerationMode AccessBased 
             -CachingMode Documents 
             -EncryptData $true 
             -ContinuouslyAvailable $false

# Verify the share was created
Get-SmbShare -Name $shareName | Select-Object Name,Path,Description

For more granular control, you can use the Grant-SmbShareAccess cmdlet:

# Revoke default Everyone permissions
Revoke-SmbShareAccess -Name $shareName -AccountName "Everyone" -Force

# Set custom permissions
Grant-SmbShareAccess -Name $shareName 
                     -AccountName "DOMAIN1\Finance" 
                     -AccessRight Change 
                     -Force

If you encounter problems:

# Check share permissions
Get-SmbShareAccess -Name $shareName

# Verify share is online
Test-NetConnection -ComputerName $env:COMPUTERNAME -CommonTCPPort SMB

# Check firewall rules
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | 
    Where-Object { $_.Enabled -eq "True" } | 
    Format-Table -AutoSize
  • Always combine share permissions with NTFS ACLs
  • Use domain groups rather than individual user accounts
  • Regularly audit share permissions using Get-SmbShareAccess
  • Disable SMBv1 if not needed: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Remember that share permissions are cumulative - if a user belongs to multiple groups, they'll get the most permissive access level from all groups.