ShortArrow · July 8, 2022 02:15
diff --git a/how-to-manage-win-file-share.ps1 b/how-to-manage-win-file-share.ps1
 # ---------------------------------------------
 # How to manage Windows File share permissions
 # ---------------------------------------------
 # 
 # 共有のアクセス権とNTFSアクセス権が共存し、ユーザーは両方から許可された操作しかできない。
 # 
 # ---------------------------------------------
 # Create Acl rules
 # ---------------------------------------------

 $sharename = "share001"
 $folder = "C:\Users\user001\Documents\share001"
 $hostname = [System.Environment]::MachineName
 $acl = Get-Acl $folder

 # user001
 $user= "user001"
 $aclParams = @("$hostname\$user",
    [System.Security.AccessControl.FileSystemRights]::FullControl,
    ([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
    -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
 $rule = New-Object System.Security.AccessControl.FileSystemAccessRule  $aclParams
 $acl.AddAccessRule($rule)
 # user002
 $user= "user002"
 $aclParams = @("$hostname\$user",
    [System.Security.AccessControl.FileSystemRights]::FullControl,
    ([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
    -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
 $rule = New-Object System.Security.AccessControl.FileSystemAccessRule  $aclParams
 $acl = Get-Acl $folder
 $acl.AddAccessRule($rule)
 # Everyone
 $aclParams = @("Everyone",
    [System.Security.AccessControl.FileSystemRights]::Read,
    ([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
    -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow)
 $rule = New-Object System.Security.AccessControl.FileSystemAccessRule  $aclParams
 $acl.AddAccessRule($rule)

 # ---------------------------------------------
 # Set NTFS Permissions (NTFSアクセス許可)
 # ---------------------------------------------
 Set-Acl $folder -AclObject $acl

 # ---------------------------------------------
 # SMB share Permissions
 # https://docs.microsoft.com/en-us/powershell/module/smbshare
 # ---------------------------------------------

 $user= "user001"
 Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
 $user= "user002"
 Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
 Grant-SmbShareAccess -Name $sharename -AccountName "Everyone" -AccessRight Read
 # Revoke-SmbShareAccess
 # Revoke-SmbShareAccess
 # Block-SmbShareAccess
 # Unblock-SmbShareAccess
 # Get-SmbShare
 # Get-SmbShareAccess
	# ---------------------------------------------
	# How to manage Windows File share permissions
	# ---------------------------------------------
	#
	# 共有のアクセス権とNTFSアクセス権が共存し、ユーザーは両方から許可された操作しかできない。
	#
	# ---------------------------------------------
	# Create Acl rules
	# ---------------------------------------------

	$sharename = "share001"
	$folder = "C:\Users\user001\Documents\share001"
	$hostname = [System.Environment]::MachineName
	$acl = Get-Acl $folder

	# user001
	$user= "user001"
	$aclParams = @("$hostname\$user",
	[System.Security.AccessControl.FileSystemRights]::FullControl,
	([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
	-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
	[System.Security.AccessControl.PropagationFlags]::None,
	[System.Security.AccessControl.AccessControlType]::Allow)
	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $aclParams
	$acl.AddAccessRule($rule)
	# user002
	$user= "user002"
	$aclParams = @("$hostname\$user",
	[System.Security.AccessControl.FileSystemRights]::FullControl,
	([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
	-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
	[System.Security.AccessControl.PropagationFlags]::None,
	[System.Security.AccessControl.AccessControlType]::Allow)
	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $aclParams
	$acl = Get-Acl $folder
	$acl.AddAccessRule($rule)
	# Everyone
	$aclParams = @("Everyone",
	[System.Security.AccessControl.FileSystemRights]::Read,
	([System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
	-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit),
	[System.Security.AccessControl.PropagationFlags]::None,
	[System.Security.AccessControl.AccessControlType]::Allow)
	$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $aclParams
	$acl.AddAccessRule($rule)

	# ---------------------------------------------
	# Set NTFS Permissions (NTFSアクセス許可)
	# ---------------------------------------------
	Set-Acl $folder -AclObject $acl

	# ---------------------------------------------
	# SMB share Permissions
	# https://docs.microsoft.com/en-us/powershell/module/smbshare
	# ---------------------------------------------

	$user= "user001"
	Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
	$user= "user002"
	Grant-SmbShareAccess -Name $sharename -AccountName "$hostname\$user" -AccessRight Full
	Grant-SmbShareAccess -Name $sharename -AccountName "Everyone" -AccessRight Read
	# Revoke-SmbShareAccess
	# Revoke-SmbShareAccess
	# Block-SmbShareAccess
	# Unblock-SmbShareAccess
	# Get-SmbShare
	# Get-SmbShareAccess