Turns out an unprivileged user can be given permissions to create and remove file (and possibly other) shares.

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril!

To allow unprivileged users to manage file shares, create a Just-Enough-Admin configuration.

This will allow unprivileged users to play with share permissions as well but this should not normally be an issue since file permissions are the final arbiter of access.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile SmbShare.pssc

And create a group JEA_SmbShare.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_SmbShare

Make three changes to the SmbShare.pssc files created:

  1. Set SessionType to ‘RestrictedRemoteServer’.
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
  1. Set RunAsVirtualAccount to $true.
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
  1. Configure RoleDefinitions to use SmbShare.psrc.
RoleDefinitions = @{'JEA_SmbShare' = @{RoleCapabilities='SmbShare'}}

Then create a role capability file for this thing.

PS C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities> New-PSRoleCapabilityFile SmbShare.psrc

Add the following entries to the file, at the appropriate places per the hints given in the template file.

ModulesToImport='SmbShare'
VisibleCmdLets='*-Smb*'

Yes, this grants ultimate share power to our JEA_SmbShare group. You can limit these powers if you like by limiting what parameters can be called etc.. I will write about that in the future.

We are not adding the net.exe command to the configuration because it allows far more than share management.

Register the configuration:

PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration SmbShare -Path .\SmbShare.pssc

Now add a user to the JEA_SmbShare group and let him enjoy his powers.

PS C:\> Add-LocalGroupMember -Group JEA_SmbShare -Member benoit
PS C:\> Get-LocalGroupMember JEA_SmbShare

ObjectClass Name              PrincipalSource
----------- ----              ---------------
User        CHAMPIGNAC\benoit Local

PS C:\>

User benoit can now create and destroy shares at will. But he should create shares with a different than default security descriptor (using the -FullAccess parameter) if the default security descriptor allows access to Everyone (and your file system permissions do the same, what kind of system are you running there?).

PS C:\> whoami
champignac\benoit
PS C:\> Get-ChildItem 'C:\Program Files\WindowsPowerShell\Modules\JEA\' -Filter *.pssc|ForEach-Object{Import-PSSession (New-PSSession -ConfigurationName $_.BaseName) -AllowClobber}                                                                                                                                                                                                                                                          ModuleType Version    Name                                ExportedCommands                                                                                                                                             ---------- -------    ----                                ----------------                                                                                                                                             Script     1.0        tmp_ahjvt5rd.1el                    {Add-WebConfiguration, Add-WebConfigurationLock, Add-WebConfigurationProperty, Backup-WebConfiguration...}                                                   Script     1.0        tmp_qecztqlr.ihh                    {Block-SmbClientAccessToServer, Block-SmbShareAccess, Clear-Host, Close-SmbOpenFile...}                                                                      Script     1.0        tmp_qhqgomtt.jo5                    {Clear-Host, Exit-PSSession, Get-Command, Get-WindowsFeature...}


PS C:\> md BenoitShare


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/25/2025  10:06 AM                BenoitShare


PS C:\> New-SmbShare -Path C:\BenoitShare\ -Name BenoitShare -FullAccess "Authenticated Users"

Name        ScopeName Path           Description
----        --------- ----           -----------
BenoitShare *         C:\BenoitShare


PS C:\> Get-SmbShare

Name        ScopeName Path           Description
----        --------- ----           -----------
ADMIN$      *         C:\WINDOWS     Remote Admin
BenoitShare *         C:\BenoitShare
C$          *         C:\            Default share
IPC$        *                        Remote IPC
TestShare   *         C:\TestShare


PS C:\> (Get-SmbShare BenoitShare).SecurityDescriptor
O:SYG:SYD:(A;;FA;;;AU)
PS C:\> Remove-SmbShare BenoitShare

Confirm
Are you sure you want to perform this action?
Performing operation 'Remove-Share' on Target '*,BenoitShare'.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
PS C:\>

Of course, having access to configuring (and removing) all shares user benoit now has tremendous ability to destroy things. But it pales with user benoit’s ability to destroy things if he were a member of the Administrators group and, of course, the JEA configuration could be configured more stringently, perhaps with a few allowed functions and no direct access to all cmdlets. I would personally add a second role cabaility file with such functions and a second group JEA_SmbShare_Functions for those users we don’t trust as much as user benoit.

Shares.pssc
Shares.psrc

Next: Scheduled Tasks