Sorry everyone, for bothering you. Currently I have a command line to enforce user permissions already working on the specified directory but I need your help on how to be able to see the higher level directory when the user accesses it. Because now, when the user accesses normally, he will not see a higher-level directory to access, he must access the available path, so it is very inconvenient. I just need to see the folders to access without editing or see another subfolder inside.
$acl = Get-Acl 'D:\TEST'
$path = "D:\TEST"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("test.ktdv","write","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("test.ktnb","read","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Get-ChildItem -Path "$Path" -Recurse -Force |
Where-Object { ($_.Name -eq 'New Folder' -or $_.Name -eq 'B') } |
Set-Acl -Aclobject $acl -Verbose
Related
I am trying to remove a user from all subdirectories in a network share.
I have tried the following command: ICACLS X:\ /remove:g username /T
The command runs without failure (although it takes 3.5 hours due to the size of the shard drive) but after I check the permissions, the user's permissions are not deleted from anywhere.
If I navigate to a specific folder where I know that the user has access and run the command there (for example ICACLS X:\subdirectory /remove:g username /T ), it works just fine.
The issue seems to occur only if I try to run it from the root X:\ in which case, no permissions are deleted.
Any ideas why this might be the case?
P.S. I have F access on the root on the account I'm running the command with
Should do it with icacls /T. Unless the user running the command cannot read some directories. But if inheritance is enabled on the folders you probably have Administrators everywhere.
A simple PS Script can do it. With some try / catch around $acl | Set-Acl this can be used as a dry-mode in a non-privileged session. With a privileged session this will effectively replace the ACL on the directory.
$path = "X:"
$username = "Domain\User"
Get-Item -Path $path -Directory -Recurse | %{
$acl = Get-Acl -Path $_.FullName
$aces = $acl.Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.Value -eq $username }
if ($aces -ne $null -and $aces.Count -gt 0) {
Write-Host "Found $($aces.Count) ACE granted for $username on $($_.FullName)"
foreach($ace in $aces) {
$acl.RemoveAccessRule($ace)
}
$acl | Set-Acl -Path $_.FullName
}
}
I have PowerShell a script to create a new user's home drive and I am using below command:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath
It's creating the home drive for the user but the user isn't able to access it.
One more thing, I can copying the created home drive manually from AD console and again pasting it and clicking on apply then it works fine.
Set-ADUser will only modify the user object in ActiveDirectory; security permissions on the folder itself is an additional step.
FileSystemRights Enumeration: MSDN
It is not sufficient to simply use Set-ADUser, expecting full end to end creation of a fully functioning home directory; we must set permissions on the folder in question, including any inheritance flags.
There's a few steps to accomplish this, but simply stated:
We need to get the current access control list (ACL)
We need to add our desired permissions to said ACL
We need to write the new ACL, combining both the pre-existing and new permissions.
As you may have guessed:
Get-ACL
Set-ACL
We can so something like this:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath -ea Stop
$homeShare = New-Item -path $fullPath -ItemType Directory -force -ea Stop
$acl = Get-Acl $homeShare
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]"InheritOnly"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
$acl.AddAccessRule($AccessRule)
Set-Acl -Path $homeShare -AclObject $acl -ea Stop
If you're feeling creative, you can also combine some of the flags into an array:
$InheritanceFlag = #('ContainerInherit','ObjectInherit')
Please note this code is NOT tested and to validate before executing in any environment.
I am trying to modify folder ACL through Powershell with following code. First i want to clear ACL and stop inheritance and then add only specific users to it.
This seem working fine, but if i trying to open that folder it gives following error.
What is wrong with the script?
$acl = Get-ACL -Path "c:\mydata"
$acl.SetAccessRuleProtection($True, $False)
$acl | Set-Acl -Path "c:\mydata"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$acl | Set-Acl -Path "c:\mydata"
You are setting an empty ACL, then trying to make changes when you no longer have permissions. Normally, you should be getting an error on the second Set-ACL
$acl | Set-Acl $path
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
Instead, try setting the ACL only once:
$path = 'c:\mydata'
$acl = Get-ACL $path
$rule1 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$rule2 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$acl.AddAccessRule($rule1)
$acl.AddAccessRule($rule2)
# Flush the inherited permissions, and protect your new rules from overwriting by inheritance
$acl.SetAccessRuleProtection($True, $False)
# Output what the new access rules actually look like:
$acl.Access | ft
$acl | Set-Acl $path
If you need to keep the existing permissions, then use $acl.SetAccessRuleProtection($True, $True) instead.
Finally, make sure you're actually logged in as either DBUSER or ADMIN when testing access to the folder.
Can I take over ownership and then set-acl to a folder? I have a folders.txt file where I have the location of the folder.
For Example:
D:\Dept\CC\NorthRiver\16-17\StaffAdministration
Then I am creating a new year of the previous year folder structure and copying the rights and permissions of the previous years folders to the new folder years matching folder. I ran into an issue though because of ownership of the folder. If I am not the owner I can not duplicate the permissions of certain folders and I receive Set-ACL : The security identifier is not allowed to be the owner of this object. Is there any way around this?
I tried adding the line (to change the owner to me but that did not work either):
get-item $currentFolder.Replace("16-17", "15-16") | set-owner -Account 'VDB-TST1\Administrators'
Does anyone have any ideas of how I may accomplish this?
This is the full script I have:
Function Get-FileName{
[CmdletBinding()]
Param(
[String]$Filter = "|*.*",
[String]$InitialDirectory = "C:\")
[void][System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms")
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.initialDirectory = $InitialDirectory
$OpenFileDialog.filter = $Filter
[void]$OpenFileDialog.ShowDialog()
$OpenFileDialog.filename
}
#Get and Set the ACL to the new years folder structure
foreach ($currentFolder in (GC (Get-FileName -InitialDirectory $env:USERPROFILE\Desktop -Filter "Text files (*.txt)|*.txt|All files (*.*)|*.*"))) {
md $currentFolder # Create Folder
get-item $currentFolder.Replace("16-17", "15-16") | set-owner -Account 'VDB-TST1\Administrators'
Get-ACL $currentFolder.Replace("16-17", "15-16") | Set-ACL $currentFolder
}
I think you are running into the same limitations of Set-ACL and Get-ACL described in this post. try changing
Get-ACL $currentFolder.Replace("16-17", "15-16") | Set-ACL $currentFolder
to
(Get-Item $currentFolder.Replace("16-17", "15-16")).GetAccessControl('Access') | Set-ACL $currentFolder
As an alternative you can use robocopy to copy the ntfs permissions from one directory and then apply them to another.
robocopy $currentFolder.Replace("16-17", "15-16") $currentfolder /copy:S /SECFIX
Hope this helps.
The Set-ACL cmdlet native to powershell is pretty terrible. I would suggest using the NTFS module that is available. I have tried playing with Set-ACL several times and it always wastes more of my time rather than actually being useful.
I'm trying to delete some users from AD and also take out their home directories. However, we have a script that denies us Administrators rights to their desktop.ini's because that stops their folder name being resolved in Explorer. However, when I want to blow out their whole home directory, the fact that there desktop.ini is still there means the parent folder can't be deleted either. I thought the below script would give me rights but it hasn't. What am I missing guys?
If (Test-Path $homeDir) {
$user = $_.uname
Set-ItemProperty -Path "\\server\students\home\$user" -Name Attributes -Value "Normal"
$acl = Get-Acl "\\server\students\home\$user"
$acl.access | where-object {$_.AccessControlType -eq "Deny"} | Foreach-object { $acl.RemoveAccessRule($_) }
(Get-Item "\\server\students\home\$user").SetAccessControl($acl)
Get-ChildItem -Path "\\server\students\home\$user\*" -Recurse | Remove-Item -Force -Recurse
Remove-Item "\\server\students\home\$user" -Recurse
Write-host "$user's home directory deleted successfully"
}
It's external to PowerShell (runs within PS just fine though) but I would suggest using icalcs as it makes this much simpler...
icacls "\\server\students\home\$user" /grant administrators:F /t