ShortArrow/how-to-manage-win-file-share.ps1

## how-to-manage-win-file-share.ps1
# ---------------------------------------------
# How to manage Windows File share permissions
# ---------------------------------------------
#
# 共有のアクセス権とNTFSアクセス権が共存し、ユーザーは両方から許可された操作しかできない。
#
# ---------------------------------------------
# Create Acl rules
# ---------------------------------------------

$sharename = "share001"
$folder = "C:\Users\user001\Documents\share001"
$hostname = [System.Environment]::MachineName
$acl = Get-Acl $folder

# user001
$user= "user001"
$aclParams = @("$hostname\$user",
    [System.Security.AccessControl.FileSystemRights]::FullControl,
    ([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
    -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule  $aclParams
$acl.AddAccessRule($rule)
# user002
$user= "user002"
$aclParams = @("$hostname\$user",
    [System.Security.AccessControl.FileSystemRights]::FullControl,
    ([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
    -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule  $aclParams
$acl = Get-Acl $folder
$acl.AddAccessRule($rule)
# Everyone
$aclParams = @("Everyone",
    [System.Security.AccessControl.FileSystemRights]::Read,
    ([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
    -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule  $aclParams
$acl.AddAccessRule($rule)

# ---------------------------------------------
# Set NTFS Permissions (NTFSアクセス許可)
# ---------------------------------------------
Set-Acl $folder -AclObject $acl

# ---------------------------------------------
# SMB share Permissions
# https://docs.microsoft.com/en-us/powershell/module/smbshare
# ---------------------------------------------

$user= "user001"
Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
$user= "user002"
Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
Grant-SmbShareAccess -Name $sharename -AccountName "Everyone" -AccessRight Read
# Revoke-SmbShareAccess
# Revoke-SmbShareAccess
# Block-SmbShareAccess
# Unblock-SmbShareAccess
# Get-SmbShare
# Get-SmbShareAccess
	# ---------------------------------------------
	# How to manage Windows File share permissions
	# ---------------------------------------------
	#
	# 共有のアクセス権とNTFSアクセス権が共存し、ユーザーは両方から許可された操作しかできない。
	#
	# ---------------------------------------------
	# Create Acl rules
	# ---------------------------------------------

	$sharename = "share001"
	$folder = "C:\Users\user001\Documents\share001"
	$hostname = [System.Environment]::MachineName
	$acl = Get-Acl $folder

	# user001
	$user= "user001"
	$aclParams = @("$hostname\$user",
	[System.Security.AccessControl.FileSystemRights]::FullControl,
	([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
	-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
	[System.Security.AccessControl.PropagationFlags]::None,
	[System.Security.AccessControl.AccessControlType]::Allow)
	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $aclParams
	$acl.AddAccessRule($rule)
	# user002
	$user= "user002"
	$aclParams = @("$hostname\$user",
	[System.Security.AccessControl.FileSystemRights]::FullControl,
	([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
	-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
	[System.Security.AccessControl.PropagationFlags]::None,
	[System.Security.AccessControl.AccessControlType]::Allow)
	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $aclParams
	$acl = Get-Acl $folder
	$acl.AddAccessRule($rule)
	# Everyone
	$aclParams = @("Everyone",
	[System.Security.AccessControl.FileSystemRights]::Read,
	([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
	-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
	[System.Security.AccessControl.PropagationFlags]::None,
	[System.Security.AccessControl.AccessControlType]::Allow)
	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $aclParams
	$acl.AddAccessRule($rule)

	# ---------------------------------------------
	# Set NTFS Permissions (NTFSアクセス許可)
	# ---------------------------------------------
	Set-Acl $folder -AclObject $acl

	# ---------------------------------------------
	# SMB share Permissions
	# https://docs.microsoft.com/en-us/powershell/module/smbshare
	# ---------------------------------------------

	$user= "user001"
	Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
	$user= "user002"
	Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
	Grant-SmbShareAccess -Name $sharename -AccountName "Everyone" -AccessRight Read
	# Revoke-SmbShareAccess
	# Revoke-SmbShareAccess
	# Block-SmbShareAccess
	# Unblock-SmbShareAccess
	# Get-SmbShare
	# Get-SmbShareAccess