A little concept I’ve been working on every now and again is ad-hoc shares. The reasoning behind it is that committees and other short lived inter-department groups need something to share documents with that can be backed up. Email can be a hassle and quickly fills quotas, IT staff probably hates the idea of users starting shares on their machines (not to mention the backup issue), and a “public” share is way to…public.
A huge part of this idea came from drop.io, which allows anyone to create a place to share files as easily as letting the third parties know the location and password. By utilizing ActiveDirectory and Share and NTFS permissions, you can quickly create a place that people can access files and folders that only they have rights to.
With this script, users can create shares when they need them and limit who has access without having to know anything about share or NTFS permissions. Though at the moment, it would require them to know something about the command line and powershell. However a GUI could be created fairly easily that’s based off of the code below.
One thing that I haven’t finished yet is a culling script which would run on the server the main share is on, which is the reasoning behind the hidden xml file. It holds the info on when to delete the share.
adhocshares.ps1
param (
$xml = $(throw "You must supply an XML (text not file) configuration!")
)
#
# settings
#
$version = .2;
$rootdir = "c:\pbin\adhocshares\shares\";
$xmld = new-object system.xml.xmldocument;
$xmld.LoadXml($xml);
#some xml validation here?
$spec_check = $False;
$spec_check = $spec_check -and [bool]$xmld.root.share.dir
$spec_check = $spec_check -and [bool]$xmld.root.share.dir.name
$spec_check = $spec_check -and [bool]$xmld.root.share.dir.expires
$spec_check = $spec_check -and [bool]$xmld.root.share.acl
$spec_check = $spec_check -and [bool]$xmld.root.share.acl.user
if($xmld.root.version.number -ne $version -or $spec_check) {
throw "XML should conform to the 0.2 version specs.";
}
#
# Create share
#
$name = $xmld.root.share.dir.name
$newdir = "$($rootdir)$($name)";
##insert code for random name generation.
if(test-path $newdir) {
throw "Error: Sorry, but that folder already exists. Please try another name.";
}
New-Item $newdir -type directory | out-null
$dacl = get-acl $newdir;
foreach($u in $xmld.root.share.acl.user) {
"Adding: $($u.name) with $($u.rights) permissions.";
$inher = ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit) #[System.Security.AccessControl.InheritanceFlags]::none
$prop = [System.Security.AccessControl.PropagationFlags]::none
if($u.rights -eq "rw") {
$new_rights = New-Object System.Security.AccessControl.FileSystemAccessRule(@("contoso\$($u.name)", "FullControl", $inher, $prop, "allow"));
$dacl.AddAccessRule($new_rights);
}
if($u.rights -eq "ro") {
$new_rights = New-Object System.Security.AccessControl.FileSystemAccessRule(@("contoso\$($u.name)", "ReadAndExecute", $inher, $prop, "allow"));
$dacl.AddAccessRule($new_rights);
}
}
set-acl -path $dacl.path -AclObject $dacl;
#Create the "settings" of the folder.
#Management script will delete folder if .ahs.settings.xml is not present.
$xml_text | out-file "$($newdir)\.ahs.settings.xml";
$t = gi "$($newdir)\.ahs.settings.xml";
$t.set_attributes("Hidden")
$t.set_IsReadOnly($True);
XML permissions
<?xml version="1.0" encoding='ISO-8859-1'?> <!-- VERSION:0.2 version: <version number="adhoc version" /> Nothing special here other than to specify the parser version. share: <share> Similar to "items" for RSS feeds. Meant to one day allow for multiple shares to be created from one xml file. dir: <dir name="share name" expires="date the share will expire and can be deleted" /> acl: <acl> List of users that will have access to the folder. user: <user name="ActiveDirectory SAM account name" rights="(rw|ro)" /> --> <root> <version number="0.2" /> <share> <dir name="tmp1" expires="Friday, July 31, 2009 9:32:33 AM" /> <acl> <user name="josherickson" rights="rw" /> <user name="theboss" rights="ro" /> <user name="coworker" rights="ro" /> </acl> </share> </root>
