Enumerate File Shares on a Remote Windows PC with PowerShell -- Microsoft Certified Professional Magazine Online

Enumerate File Shares on a Remote Windows PC with PowerShell

By Adam Bertram
03/21/2019

SMB files are ubiquitous across Windows environments and it's easy to lose track of them. However, using PowerShell, we can quickly and easily figure out not only what file shares exist on a remote computer, but also information like various permissions that are configured on them.

To get started, we need to ensure that the remote computer has PS Remoting available. All Windows Server 2012 R2 and later servers should have it enabled, but be sure to have the appropriate firewall exceptions and permissions set up first.

Once you've got PS Remoting working, you can then enter into a remote session via Enter-PSSession if you're querying a server interactively, or you can use Invoke-Command to remotely execute ad hoc code against the servers. For this article, I'm going to enter into an interactive session with Enter-PSSession.

Enter-PSSession -ComputerName DC

Once I'm in the session, I can now run the Get-SmbShare command. This command will enumerate all of the shares that are set up on this remote server.

You can see below that I have an open remote session to my DC server, which has a few of the default file shares already set up on it.

[dc]: PS C:\> Get-SmbShare

Name     ScopeName Path                                             Description
----     --------- ----                                             -----------
ADMIN$   *         C:\windows                                       Remote Admin
C$       *         C:\                                              Default share
D$       *         D:\                                              Default share
IPC$     *                                                          Remote IPC
NETLOGON *         C:\windows\SYSVOL\sysvol\techsnips.local\SCRIPTS Logon server share
SYSVOL   *         C:\windows\SYSVOL\sysvol                         Logon server share

However, maybe you don't want to see the default file shares. In that case, you can use the Special parameter specifying a $false argument. Now you can see that only the Active Directory-related shares show up since this server is a domain controller.

[dc]: PS C:\> Get-SmbShare -Special $false

Name     ScopeName Path                                             Description
----     --------- ----                                             -----------
NETLOGON *         C:\windows\SYSVOL\sysvol\techsnips.local\SCRIPTS Logon server share
SYSVOL   *         C:\windows\SYSVOL\sysvol                         Logon server share

We not only can figure out what shares are on a remote server, but we can also see what kind of permission each share has on it using the Get-SmbShareAccess command.

You can see below that I've listed all permissions that are applied to the NETLOGON file share on my DC remote server.

[dc]: PS C:\> Get-SmbShareAccess -Name NETLOGON

Name     ScopeName AccountName            AccessControlType AccessRight
----     --------- -----------            ----------------- -----------
NETLOGON *         Everyone               Allow             Read
NETLOGON *         BUILTIN\Administrators Allow             Full

This was just a single server but maybe you need to create a report of file shares across lots of servers at once. No problem! We can do that by using the Invoke-Command command. This time, instead of interactively typing in each command, we'll specify the commands to run inside of the Scriptblock parameter. Since we're querying multiple servers, we can specify a comma-delimited list via the ComputerName parameter.

Invoke-Command -ComputerName 'DC','SRV1' -ScriptBlock {Get-SmbShare}

Maybe you need to find file shares across all servers in a particular Active Directory OU. In that case, we can use the Get-ADComputer cmdlet that comes with the ActiveDirectory module to first pull all of the computer names from Active Directory. Once we have those computer names, we can then pass them to the ComputerName parameter on the Invoke-Command cmdlet.

Below I'm finding all computer objects that are in the Servers OU in my corp.ad domain, then passing that list to Invoke-Command, which will find all of the file shares on all of those computers that are not the default administrative shares.

$servers = Get-ADComputer -SearchBase "OU=Servers,DC=corp,dc=ad" -Filter * | Select-Object -ExpandProperty Name
Invoke-Command -ComputerName $servers -ScriptBlock {Get-SmbShare -Special $false}

That's it, folks! PowerShell makes quick work of file shares.

About the Author

Adam Bertram is a 20-year veteran of IT. He's an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam also founded the popular TechSnips e-learning platform. He mainly focuses on DevOps, system management and automation technologies, as well as various cloud platforms mostly in the Microsoft space. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam's articles at adamtheautomator.com, connect on LinkedIn or follow him on Twitter at @adbertram or the TechSnips Twitter account @techsnips_io.