< Back
Block-SmbShareAccess
Post
NAME Block-SmbShareAccess
SYNOPSIS
Adds a deny ACE for a trustee to the security descriptor of the SMB share.
SYNTAX
Block-SmbShareAccess [-Name] <String[]> [[-ScopeName] <String[]>] [-AccountName <String[]>] [-CimSession <CimSession[]>] [-Force] [-SmbInstance {Default
| CSV}] [-ThrottleLimit <Int32>] [-Confirm] [-WhatIf] [<CommonParameters>]
Block-SmbShareAccess [-AccountName <String[]>] [-CimSession <CimSession[]>] [-Force] [-ThrottleLimit <Int32>] [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Block-SmbShareAccess cmdlet adds a deny access control entry (ACE) to the security descriptor of the Server Message Block (SMB) share.
PARAMETERS
-AccountName [<String[]>]
Specifies the name of the account for the user who is being denied access to the share. Use a comma-separated list to deny share access to multiple
accounts.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-CimSession [<CimSession[]>]
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or
Get-CimSession cmdlet. The default is the current session on the local computer.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
Forces the command to run without asking for user confirmation.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Name <String[]>
Specifies the name of the SMB share.
Required? true
Position? 2
Default value none
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ScopeName [<String[]>]
Specifies the scope of the share specified by name.
Required? false
Position? 3
Default value none
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SmbInstance [<Microsoft.PowerShell.Cmdletization.GeneratedTypes.SmbShare.SmbInstance>]
Specifies the input to this cmdlet. You can use this parameter, or you can pipe the input to this cmdlet.
Required? false
Position? named
Default value none
Accept pipeline input? true(ByPropertyName)
Accept wildcard characters? false
-ThrottleLimit [<Int32>]
Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is
entered, then Windows PowerShell???? calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the
computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/SMB/MSFT_SmbShareAccessControlEntry
The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The
path after the pound sign (#) provides the namespace and class name for the underlying WMI object.
The MSFT_SmbShareAccessControlEntry object represents the new SMB share ACE.
Example 1: Add a deny ACS
PS C:\\>Block-SmbShareAccess -Name VMFiles -AccountName Contoso\\Guest
Confirm
Are you sure you want to perform this action?
Performing operation 'Modify' on Target 'Contoso-SO,VMFiles'.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
VMFiles Contoso-SO Contoso\\Guest Deny Full
VMFiles Contoso-SO Contoso\\Administrator Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV1$ Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV2$ Allow Full
VMFiles Contoso-SO Contoso\\Domain Admins Allow Change
This command adds a deny ACE for a trustee to the security descriptor of an SMB share named VMFiles.
Example 2: Add a deny ACS without confirmation
PS C:\\>Block-SmbShareAccess -Name VMFiles -AccountName "Guest Users" -Force
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
VMFiles Contoso-SO Contoso\\Guest Deny Full
VMFiles Contoso-SO Contoso\\Administrator Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV1$ Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV2$ Allow Full
VMFiles Contoso-SO Contoso\\Domain Admins Allow Change
This command adds a deny ACE for a trustee to the security descriptor of an SMB share named VMFiles without confirmation from the user.
RELATED LINKS
Get-SmbShareAccess
Grant-SmbShareAccess
Revoke-SmbShareAccess
Unblock-SmbShareAccess
SYNOPSIS
Adds a deny ACE for a trustee to the security descriptor of the SMB share.
SYNTAX
Block-SmbShareAccess [-Name] <String[]> [[-ScopeName] <String[]>] [-AccountName <String[]>] [-CimSession <CimSession[]>] [-Force] [-SmbInstance {Default
| CSV}] [-ThrottleLimit <Int32>] [-Confirm] [-WhatIf] [<CommonParameters>]
Block-SmbShareAccess [-AccountName <String[]>] [-CimSession <CimSession[]>] [-Force] [-ThrottleLimit <Int32>] [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Block-SmbShareAccess cmdlet adds a deny access control entry (ACE) to the security descriptor of the Server Message Block (SMB) share.
PARAMETERS
-AccountName [<String[]>]
Specifies the name of the account for the user who is being denied access to the share. Use a comma-separated list to deny share access to multiple
accounts.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-CimSession [<CimSession[]>]
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or
Get-CimSession cmdlet. The default is the current session on the local computer.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
Forces the command to run without asking for user confirmation.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Name <String[]>
Specifies the name of the SMB share.
Required? true
Position? 2
Default value none
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ScopeName [<String[]>]
Specifies the scope of the share specified by name.
Required? false
Position? 3
Default value none
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SmbInstance [<Microsoft.PowerShell.Cmdletization.GeneratedTypes.SmbShare.SmbInstance>]
Specifies the input to this cmdlet. You can use this parameter, or you can pipe the input to this cmdlet.
Required? false
Position? named
Default value none
Accept pipeline input? true(ByPropertyName)
Accept wildcard characters? false
-ThrottleLimit [<Int32>]
Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is
entered, then Windows PowerShell???? calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the
computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/SMB/MSFT_SmbShareAccessControlEntry
The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The
path after the pound sign (#) provides the namespace and class name for the underlying WMI object.
The MSFT_SmbShareAccessControlEntry object represents the new SMB share ACE.
Example 1: Add a deny ACS
PS C:\\>Block-SmbShareAccess -Name VMFiles -AccountName Contoso\\Guest
Confirm
Are you sure you want to perform this action?
Performing operation 'Modify' on Target 'Contoso-SO,VMFiles'.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
VMFiles Contoso-SO Contoso\\Guest Deny Full
VMFiles Contoso-SO Contoso\\Administrator Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV1$ Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV2$ Allow Full
VMFiles Contoso-SO Contoso\\Domain Admins Allow Change
This command adds a deny ACE for a trustee to the security descriptor of an SMB share named VMFiles.
Example 2: Add a deny ACS without confirmation
PS C:\\>Block-SmbShareAccess -Name VMFiles -AccountName "Guest Users" -Force
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
VMFiles Contoso-SO Contoso\\Guest Deny Full
VMFiles Contoso-SO Contoso\\Administrator Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV1$ Allow Full
VMFiles Contoso-SO Contoso\\Contoso-HV2$ Allow Full
VMFiles Contoso-SO Contoso\\Domain Admins Allow Change
This command adds a deny ACE for a trustee to the security descriptor of an SMB share named VMFiles without confirmation from the user.
RELATED LINKS
Get-SmbShareAccess
Grant-SmbShareAccess
Revoke-SmbShareAccess
Unblock-SmbShareAccess