how to change specific folder permissions with powershell no GUI [duplicate] - powershell

I am trying to use the "default" options in applying folder permissions; by that, I mean that using the "Full Controll, Write, Read, etc" in the 'Properties' for a folder.
The following script works to add the user in, but it applies "Special Permissions" - not the ones with the tick boxes for the ones visible in the properties menu of the folder:
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule ("user","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
What am I doing wrong please?


Specifying inheritance in the FileSystemAccessRule() constructor fixes this, as demonstrated by the modified code below (notice the two new constuctor parameters inserted between "FullControl" and "Allow").
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
According to this topic
"when you create a FileSystemAccessRule the way you have, the
InheritanceFlags property is set to None. In the GUI, this
corresponds to an ACE with the Apply To box set to "This Folder Only",
and that type of entry has to be viewed through the Advanced
settings."
I have tested the modification and it works, but of course credit is due to the MVP posting the answer in that topic.


Referring to Gamaliel 's answer: $args is an array of the arguments that are passed into a script at runtime - as such cannot be used the way Gamaliel is using it.
This is actually working:
$myPath = 'C:\whatever.file'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "Domain\User","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl


Another example using PowerShell for set permissions (File / Directory) :
Verify permissions
Get-Acl "C:\file.txt" | fl *
Apply full permissions for everyone
$acl = Get-Acl "C:\file.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\file.txt"
Screenshots:
Hope this helps


In case you need to deal with a lot of folders containing subfolders and other recursive stuff. Small improvement on #Mike L'Angelo:
$mypath = "path_to_folder"
$myacl = Get-Acl $mypath
$myaclentry = "username","FullControl","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force | Set-Acl -AclObject $myacl -Verbose
Verbosity is optional in the last line


This One work for me
$path = "C:\test"
$name = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl "C:\test"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($name,"FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\test"
Get-ChildItem -Path "$path" -Recurse -Force | Set-Acl -aclObject $acl -Verbose


$path = "C:\DemoFolder"
$acl = Get-Acl $path
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Attribs = $username, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
$AccessRule = New-Object System.Security.AcessControl.FileSystemAccessRule($Attribs)
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
Get-ChildItem -Path "$path" -Recourse -Force | Set-Acl -aclObject $acl -Verbose

Related

Setting up NTFS permissions on a Root folder using PowerShell

I'm creating a script so lesser capable techs can quickly and easily setup server side folders. I've been able to create the folder, related AD security groups and started assigning permissions, but I got stuck when I had 1 security groups listed twice.
Basically I have a FolderA_Ro and FolderA_RW groups with FolderA_RW being listed twice.
FolderA_RW - SPECIAL - Traversal, List folder, Read attributes, Read extended attributes, Create files, Create folders, Read permissions - This folder only
FolderA_RW - Modify - Subfolders and files only
This prevents users from renaming the folder and anything else they might do that can't be predicted. Yes, I've had a lot of issues with these kinds of things happening.
I can add the first one without issue, but I can't seem to get it to add the second. Any ideas? Here's my code...
$RFolder = read-host "folder name"
$path = "C:$($RFolder)"
<# Remove all NTFS permissions #>
$acl = Get-Acl $path
$acl.Access | %{$acl.RemoveAccessRule($_)}
Set-Acl $path $acl
<# Remove inheritence #>
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
<# Assign NTFS permissions #>
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\Domain Users","Delete, ChangePermissions, TakeOwnership", "None", "None", "Deny")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_Ro","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_RW","CreateFiles,AppendData,ReadAndExecute", "None", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_RW","Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path

You could modify your script to something like this:
$RFolder = read-host "folder name"
#Define some variables
$path = "C:\$($RFolder)"
$domain="PMGTINC"
$RoGroup="$domain\SEC_$($RFolder)_Ro"
$RWGroup="$domain\SEC_$($RFolder)_RW"
<# Remove all NTFS permissions #>
$acl = Get-Acl $path
$acl.Access | %{$acl.RemoveAccessRule($_)}
Set-Acl $path $acl
<# Remove inheritence #>
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
<# Assign NTFS permissions #>
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Users","Delete, ChangePermissions, TakeOwnership", "None", "None", "Deny")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RoGroup","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RWGroup","CreateFiles,AppendData,ReadAndExecute", "None", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RWGroup","Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path

Powershell to set Read&Execute permission on a folder for Authenticated users

Im newbie in powershell and trying to figure out a way to set folder permissions for Authenticated Users. I want to remove all permissions for this user except Read&Execute.
I've tried to code below but it doesnt quite give the result I want:
$folder = 'C:\folder'
#remove inheritance
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
#set folder permissions to Read&Execute
$user = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList #([System.Security.Principal.WellKnownSidType]::AuthenticatedUserSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $folder -AclObject $acl

Set-Acl change domain for user Account powershell

Hello I would like to know how I can change the domain of a folder > security parameter > property > MYDOMAIN\Adm_User I want to change only MYDOMAIN in Powershell thank you very much for your help
t$ACL = Get-ACL .\smithb
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path .\smithb\profile.v2 -AclObject $ACL
```
t$ACL = Get-ACL C:\Gabriel
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path C:\Gabriel -AclObject $ACL
```

Try this:
# Give Ownership using PowerShell
$ACL = Get-Acl -Path "C:\Gabriel"
$User = New-Object System.Security.Principal.Ntaccount("Builtin", "Administrators")
$ACL.SetOwner($User)
$ACL | Set-Acl -Path "C:\Gabriel"
Get-ACL -Path "C:\Gabriel"

Setting NTFS Permissions With Powershell

Using the following powershell I have set the NTFS Permissions for a folder for full control. For some reason this is only applying to the folder and not its contents. I followed the instructions located here
$username = "exampleuser"
$permissionArgs = "domain\$username", "FullControl", "allow"
$permissionRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permissionArgs
$acl = Get-Acl 'C:\Users\username1\Desktop\TESTING2'
$acl.SetAccessRule($permissionRule)
Set-ACL -Path 'C:\Users\username1\Desktop\TESTING2' -AclObject $acl
When I use CACLS to see the permissions I get the following output. (usernames+domain blurred)
Can anyone advise how to make the first user listed have the same permissions as the last?

You need to include the inheritance parameter while definig the ACL rule like the below one.
$Folderpath='Destination Folder'
$user_account='User Acccount'
$Acl = Get-Acl $Folderpath
$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($user_account, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.Setaccessrule($Ar)
Set-Acl $Folderpath $Acl
Hope this HElps.

Set-acl not working in powershell 3.0

I have a new starter script which works fine in Powershell 2.0 but I have had to upgrade to Powershell 3.0 to get some SQL stuff working. However this breaks all the parts of my script that use Set-Acl. Using powershell 2.0 is not an option. Has anyone found a way around this:
My code:
#Set home directory permissions
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$acl = Get-Acl $newfolder
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$username", "FullControl", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
set-acl -aclobject $acl $newfolder
write-host permissions set
#Set home folder owner
$acl = Get-Acl $newfolder;
$domain = "mydomain"
$sid = New-Object System.Security.Principal.NTAccount("$domain\$username");
$acl.SetOwner($sid);
Set-Acl $newfolder $acl;
write-host owner set

Try binding the parameters with a colon.
Example:
Before:set-acl -aclobject $acl $newfolder
After:set-acl -aclobject:$acl -Path:$newfolder
Note:
Use the full path of $newfolder.
set-acl -aclobject:$acl -path:$newfolder.FullName
Explanation: Powershell cmdlets have ordered binding and positioning, using a colon ensures that your value is assigned to the correct parameter, no matter what order or type of object. The .FullName property will prevent a SetSecurityDescriptor error.

In case anyone else stumbles upon this as I did...
I was getting the following error:
Set-Acl : Cannot find path 'C:\WINDOWS\system32\System.Security.AccessControl.DirectorySecurity' because it does not exist.
I had to actually specify the Path and AclObject parameters:
Set-Acl -Path C:\mydir -AclObject $acl