I'm creating a script so lesser capable techs can quickly and easily setup server side folders. I've been able to create the folder, related AD security groups and started assigning permissions, but I got stuck when I had 1 security groups listed twice.
Basically I have a FolderA_Ro and FolderA_RW groups with FolderA_RW being listed twice.
FolderA_RW - SPECIAL - Traversal, List folder, Read attributes, Read extended attributes, Create files, Create folders, Read permissions - This folder only
FolderA_RW - Modify - Subfolders and files only
This prevents users from renaming the folder and anything else they might do that can't be predicted. Yes, I've had a lot of issues with these kinds of things happening.
I can add the first one without issue, but I can't seem to get it to add the second. Any ideas? Here's my code...
$RFolder = read-host "folder name"
$path = "C:$($RFolder)"
<# Remove all NTFS permissions #>
$acl = Get-Acl $path
$acl.Access | %{$acl.RemoveAccessRule($_)}
Set-Acl $path $acl
<# Remove inheritence #>
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
<# Assign NTFS permissions #>
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\Domain Users","Delete, ChangePermissions, TakeOwnership", "None", "None", "Deny")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_Ro","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_RW","CreateFiles,AppendData,ReadAndExecute", "None", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_RW","Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
You could modify your script to something like this:
$RFolder = read-host "folder name"
#Define some variables
$path = "C:\$($RFolder)"
$domain="PMGTINC"
$RoGroup="$domain\SEC_$($RFolder)_Ro"
$RWGroup="$domain\SEC_$($RFolder)_RW"
<# Remove all NTFS permissions #>
$acl = Get-Acl $path
$acl.Access | %{$acl.RemoveAccessRule($_)}
Set-Acl $path $acl
<# Remove inheritence #>
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
<# Assign NTFS permissions #>
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Users","Delete, ChangePermissions, TakeOwnership", "None", "None", "Deny")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RoGroup","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RWGroup","CreateFiles,AppendData,ReadAndExecute", "None", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RWGroup","Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
Related
I am trying to use the "default" options in applying folder permissions; by that, I mean that using the "Full Controll, Write, Read, etc" in the 'Properties' for a folder.
The following script works to add the user in, but it applies "Special Permissions" - not the ones with the tick boxes for the ones visible in the properties menu of the folder:
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule ("user","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
What am I doing wrong please?
Specifying inheritance in the FileSystemAccessRule() constructor fixes this, as demonstrated by the modified code below (notice the two new constuctor parameters inserted between "FullControl" and "Allow").
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
According to this topic
"when you create a FileSystemAccessRule the way you have, the
InheritanceFlags property is set to None. In the GUI, this
corresponds to an ACE with the Apply To box set to "This Folder Only",
and that type of entry has to be viewed through the Advanced
settings."
I have tested the modification and it works, but of course credit is due to the MVP posting the answer in that topic.
Referring to Gamaliel 's answer: $args is an array of the arguments that are passed into a script at runtime - as such cannot be used the way Gamaliel is using it.
This is actually working:
$myPath = 'C:\whatever.file'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "Domain\User","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl
Another example using PowerShell for set permissions (File / Directory) :
Verify permissions
Get-Acl "C:\file.txt" | fl *
Apply full permissions for everyone
$acl = Get-Acl "C:\file.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\file.txt"
Screenshots:
Hope this helps
In case you need to deal with a lot of folders containing subfolders and other recursive stuff. Small improvement on #Mike L'Angelo:
$mypath = "path_to_folder"
$myacl = Get-Acl $mypath
$myaclentry = "username","FullControl","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force | Set-Acl -AclObject $myacl -Verbose
Verbosity is optional in the last line
This One work for me
$path = "C:\test"
$name = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl "C:\test"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($name,"FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\test"
Get-ChildItem -Path "$path" -Recurse -Force | Set-Acl -aclObject $acl -Verbose
$path = "C:\DemoFolder"
$acl = Get-Acl $path
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Attribs = $username, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
$AccessRule = New-Object System.Security.AcessControl.FileSystemAccessRule($Attribs)
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
Get-ChildItem -Path "$path" -Recourse -Force | Set-Acl -aclObject $acl -Verbose
Im newbie in powershell and trying to figure out a way to set folder permissions for Authenticated Users. I want to remove all permissions for this user except Read&Execute.
I've tried to code below but it doesnt quite give the result I want:
$folder = 'C:\folder'
#remove inheritance
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
#set folder permissions to Read&Execute
$user = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList #([System.Security.Principal.WellKnownSidType]::AuthenticatedUserSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $folder -AclObject $acl
I'm trying to set modify permissions for a folder, sub-folders and files and exclude a specific folder inside.
I tried two methods but on each of them I have a small problem.
On the first one, I apply all permissions successfully but the "temp" folder exclude is not working. it gets the permissions as well:
$Acl = Get-Acl "C:\Users\John\Desktop\test"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Users\John\Desktop\test" $Acl -Exclude "C:\Users\John\Desktop\test\temp"
The second option is excluding the folder, but permissions are not set for the root folder as well.
I know that his is because of the get-childitem, but I couldn't understand how to include the root folder as well in the code:
$Acl = Get-Acl "C:\Users\John\Desktop\test"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
get-childitem "C:\Users\John\Desktop\test\" -Recurse -Exclude "C:\Users\John\Desktop\test\temp" | Set-Acl -AclObject $Acl
I'll appreciate for your help.
Thank you!
I hope I did it right. at this moment I ran the code at home so I'll test it more deeper tomorrow at work.
This is what I did:
$Acl = Get-Acl "C:\Users\John\Desktop\Test"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
get-childitem "C:\Users\John\Desktop\Test\" -Recurse -Exclude "TempFolder" | Set-Acl -AclObject $Acl
##########################################################
$AclRoot = Get-Acl "C:\Users\John\Desktop\Test"
$ArRoot = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "Modify", "ObjectInherit", "NoPropagateInherit", "Allow")
$AclRoot.SetAccessRule($ArRoot)
Get-Item "C:\Users\John\Desktop\Test" | Set-Acl -AclObject $AclRoot
The results are:
All sub-folders and files with "Everyone - Modify", except TempFolder.
"Test" root folder with "Everyone - Modify" - "This folder and files" (special permissions)
I hope it will do the job for my needs at work.
Thanks again!
The following script is taking a long time to apply for folder permissions.
$path = 'C:\inetpub\Testbuild\folder'
$acl = Get-Acl -Path $path
$acl.SetAccessRuleProtection($true,$False)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$object = New-Object System.Security.Principal.Ntaccount("BUILTIN\Administrators")
$acl.SetOwner($object)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$permission = 'BUILTIN\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$permission = 'BUILTIN\IIS_IUSRS', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
Because of inheritance and propagation, setting permissions on folders with a lot of subfolders and/or items will take its time.
However, you could speed up by removing lines 13 and 14 and change line 17 to $acl.AddAccessRule($rule).
That way the script won't have to set the new permissions on all underlying folders and files twice but will do it for both groups in one go.
# first step is to set the owner
$path = 'C:\inetpub\Testbuild\folder'
$acl = Get-Acl -Path $path
$acl.SetAccessRuleProtection($true,$False)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$object = New-Object System.Security.Principal.Ntaccount("BUILTIN\Administrators")
$acl.SetOwner($object)
$acl | Set-Acl -Path $path
# next step is to set permissions for two groups
$acl = Get-Acl -Path $path
# first group
$permission = 'BUILTIN\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# second group
$permission = 'BUILTIN\IIS_IUSRS', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.AddAccessRule($rule)
# set the permissions
$acl | Set-Acl -Path $path
Hope that helps
I'm trying to add access rights for the user group IIS_IUSRS to a folder using PowerShell.
Currently I have
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\IIS_IUSRS", "FullControl", "Allow")
$acl = Get-ACL "C:\tmp"
$acl.AddAccessRule($accessRule)
Set-ACL -Path "C:\tmp" -ACLObject $acl
When run, this adds IIS_IUSRS to the list of users but there are no privileges assigned.
What have I missed?
On my system i needed to use just IIS_IUSRS, so drop the BUILTIN\.
Furthermore, I think you need to construct the FileSystemAccessRule with extra parameters inheritanceFlags and propagationFlags to get what you want.
Try this:
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-ACL "C:\tmp"
$acl.AddAccessRule($accessRule)
Set-ACL -Path "C:\tmp" -ACLObject $acl
See: https://msdn.microsoft.com/en-us/library/sfe70whw(v=vs.110).aspx