The built-in SMBShare PowerShell module allows you to create, fine-tune and manage shared network folders in Windows. In this article, we will look at the features of managing Windows SMB network folders using PowerShell. You can use these examples to easily and quickly manage the settings of your SMB file servers and network folders in various automation scenarios.
There are 42 PowerShell cmdlets available in the SMBShare module for managing network folders. Their complete list can be displayed like this:
Get-Command -Module SMBShare
Display the current Windows SMB server configuration:
Get-SmbServerConfiguration
AnnounceServer: False AsynchronousCredits: 64 AuditSmb1Access: False AutoDisconnectTimeout : 15 AutoShareServer: True AutoShareWorkstation: True CachedOpenLimit: 10 DurableHandleV2TimeoutInSeconds: 180 EnableAuthenticateUserSharing: FalseEnableDownlevelTimewarp: False EnableForcedLogoff: True EnableLeasing: True EnableMultiChannel: True EnableOplocks: True EnableSecuritySignature: False EnableSMB1Protocol: False EnableSMB2Protocol: True EnableStrictNameChecking: True EncryptData: False IrpStackSize: 15 KeepAliveTime: 2 MaxChannelPerSession: 32 MaxMpxCount: 50 MaxSessionPerConnection: 16384 MaxThreadsPerQueue: 20 MaxWorkItems: 1 NullSessionPipes: NullSessionShares: OplockBreakWait: 35 PendingClientTimeoutInSeconds: 120 RejectUnencryptedAccess: True RequireSecuritySignature: False ServerHidden: True Smb2CreditsMax: 2048 Smb2CreditsMin: 128 SmbServerNameHardeningLevel: 0 TreatHostAsStableStorage: False ValidateAliasNotCircular: True ValidateShareScope: True ValidateShareScopeNotAliased: True ValidateTargetName: TrueTo change these settings, use the Set-SmbServerConfiguration cmdlet:
- For example, to disable the use of the legacy SMB 1 protocol, run:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
- List the SMB protocol versions used by active clients to connect to shared folders on this file server:
Get-SmbConnection
To limit the bandwidth for SMB file traffic, you can configure the QoS policy for the SMB server. For example, the following command will limit the maximum usable bandwidth for SMB traffic to 10 Mb:
Set-SmbBandwidthLimit -Category Default -BytesPerSecond 10MB
Create a Windows network folder using PowerShell.
To display a complete list of network folders available on the computer, run:
Get-SmbShare
This computer has access to administrative shares and the Distr directory.
To create a new shared network folder, run the command:
New-SmbShare -Name Scripts -Path C:\PS -FullAccess site\spb_admins, site\msk-man01$ -ChangeAccess "site\msk-man01_script_rw" -ReadAccess “$env:USERDOMAIN\domain users” –description “Collection of management PowerShell scripts”
In this example, we have created a network folder and granted permissions to domain groups and one computer.
Additionally, when creating a folder, you can use the following options:
- -CachingMode [None|Manual|Programs|Documents|BranchCache] – set caching mode for offline access (offline files);
- -EncryptData $True – enable SMB traffic encryption;
- -FolderEnumerationMode [AccessBased | Unrestricted] – enable the Access-based Enumeration option. Allows you to hide objects in a network folder that the user does not have access to;
- -CompressData $True – enable compression when transferring files via SMB;
- -ConcurrentUserLimit 50 – allows you to limit the number of simultaneous connections to a folder (0 by default, unlimited);
- -Temporary – create a temporary network folder (it will disappear after the next Window restart).
A complete list of network folder settings can be displayed:
Get-SmbShare -Name scripts| select *
To delete a network folder:
Remove-SmbShare ScriptsAdd write permissions for the specified user to the access list of the network folder:
Grant-SmbShareAccess -Name Scripts -AccountName "winitpro\kbuldogov" -AccessRight Change –forceDisplay the current shared folder access list:
Get-SmbShareAccess scripts
Revoke-SmbShareAccess -Name Scripts -AccountName Everyone –ForceForce denial of access to a shared folder (denying permission has higher priority):
Block-SmbShareAccess -Name Scripts -AccountName winitpro\ExtUsers -Force
In most cases, Everyone RW access is granted at the network folder level, but in fact, folder access rights are determined at the NTFS level.
The current NTFS ACL for a network folder can be obtained using the command:
(get-acl \\msk-man01\scripts).access
To change permissions, use Set-Acl.
Manage open files on a network folder.
You can use the SMBShare module cmdlets to list files opened by clients on a network share on a file server.
List open files with usernames, computer names (IP addresses), and file paths:
Get-SmbOpenFile|select ClientUserName,ClientComputerName,Path,SessionIDList files opened by a specific user:
Get-SMBOpenFile –ClientUserName "corp\kbuldogov" |select ClientComputerName,Path
Close a file opened and locked by the user:
$sessn = New-CIMSession –Computername msk-fs01
Get-SMBOpenFile -CIMSession $sessn | where {$_.Path –like "*godovoy_otchet_2021.docx"} | Close-SMBOpenFile -CIMSession $sessn
Mapping network drives using SmbMapping cmdlets.
The SbmMapping format cmdlets are used to manage network drives.
To map a remote network folder to a U: network drive, run the command:
New-SmbMapping -LocalPath U: -RemotePath \\msk-man01\scripts -UserName kbuldogov -Password mypass –Persistent $true -SaveCredential
- Without the Persistent option, the network drive will only be available until the computer is restarted;
- The SaveCredential parameter saves the user's credentials for connecting to the Windows Credential Manager
Display a list of connected network folders:
Get-SmbMappingTo delete a network drive:
Remove-SmbMapping U: -force
You can use GPO to map /disconnect network drives in Windows.