Modifying the Add-SharePermission function to enable the application of Deny permissions is a simple matter of adding a switch parameter –deny and modifying the way the AcreType is set:
#requires -Version 3.0
function Add-SharePermission {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$sharename,
[string]$domain = $env:COMPUTERNAME,
[Parameter(Mandatory=$true)]
[string]$trusteeName,
[Parameter(Mandatory=$true)]
[ValidateSet("Read", "Change", "FullControl")]
[string]$permission = “Read”,
[string]$computername = $env:COMPUTERNAME,
[switch]$deny
)
switch ($permission) {
‘Read’ {$accessmask = 1179817}
‘Change’ {$accessmask = 1245631}
‘FullControl’ {$accessmask = 2032127}
}
$tclass = [wmiclass]“\\$computername\root\cimv2:Win32_Trustee”
$trustee = $tclass.CreateInstance()
$trustee.Domain = $domain
$trustee.Name = $trusteeName
$aclass = [wmiclass]“\\$computername\root\cimv2:Win32_ACE”
$ace = $aclass.CreateInstance()
$ace.AccessMask = $accessmask
$ace.AceFlags = 0
if ($deny)
{
$ace.AceType = 1
}
else
{
$ace.AceType = 0
}
$ace.Trustee = $trustee
$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename’” -ComputerName $computername
$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor |
select -ExpandProperty Descriptor
$sclass = [wmiclass]“\\$computername\root\cimv2:Win32_SecurityDescriptor”
$newsd = $sclass.CreateInstance()
$newsd.ControlFlags = $sd.ControlFlags
foreach ($oace in $sd.DACL){$newsd.DACL += $oace}
$newsd.DACL += $ace
$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter “Name=’$sharename’” -ComputerName $computername
$share.SetSecurityDescriptor($newsd)
} # end function
The hard work is done by this part of the code:
if ($deny)
{
$ace.AceType = 1
}
else
{
$ace.AceType = 0
}
where the value of AceType is set to 1 for deny and 0 for allow.