I've tried around a bit, but haven't come up with a good result yet. My powershell skills are also a bit rusty.
What do I have in mind?
I want to read all security groups from a folder. For each security group I search in a domain (Active Directory) for the group and get all users contained in it.
Afterwards I add the user with the same rights again extra to the folder.
Reason: I search for the group or the user in another domain. Both domains are accessible from the same server. The groups will be removed at some point.
How can I do this? I have already tried a bit to read out groups (Get-Acl) etc, but I do not get further.
I do not ask for a complete solution, but just need hints how I could do this. Possibly also how this is then called in Powershell etc.
Related
I'd like to find an automatic way to share OneDrive files with a specific internal user, what's the best approach? My current scripts are using PowerShell, but that's not a hard requirement.
I've tried:
https://learn.microsoft.com/en-us/graph/api/driveitem-invite?view=graph-rest-1.0 - what's the best library to use for this? I've created an AzureAD app with the appropriate delegated permissions. In PowerShell, once I run Connect-MgGraph, what method can I run to call this?
https://learn.microsoft.com/en-us/powershell/module/sharepoint-pnp/set-pnplistitempermission?view=sharepoint-ps - but my OneDrive items aren't part of a list. Could they be? The folder permission works well: https://learn.microsoft.com/en-us/powershell/module/sharepoint-pnp/set-pnpfolderpermission but I don't understand why there isn't a file one just like this folder one
I know the absolute URL of the file, the UPN of the internal user I want to directly share with, and I have owner permissions to the file. How can I do this?
Here's the situation. I'm am completely new to PowerShell so use small words...
I have a new user in Active Directory that I need to add to about 100 computers as efficiently as possible. My hope was that I could make a PowerShell script that would add the user either through a login script or remotely. I need to have a bit of precision control over this deployment because we don't want to push this user to every computer in the company.
Can PowerShell help me with this, and if not do you all have some sage advice that could help?
To add a user to the local administrators group using PowerShell:
([ADSI]"WinNT://./Administrators,group").Add("WinNT://your-domain/new-user,user")
Just replace the your-domain and new-user parts of the command with the appropriate values for your environment.
I need to generate an ACL Report for NAS Shares, even for folders where the local administrators group has been removed from those files.
Some application can use the privilege to bypass traverse checking and or bypass ntfs permissions, similar to what robocopy does.
Treesize is a tool I used but it does not work in the way I need, it would only get the ntfs acls correctly for the first level of the folder where I do not have access, but if there are other subfolders, it will fail to obtain the information.
Subinacl seems to work fine, but here is my question has anyone share idea how to manipulate data so this can be accomplished using this tool. The report is not showing the permissions directly instead it is showing hex codes representing the actual permissions.
I read that powershell might also be able to do this but I have no idea or I could not find any code related to this.
If you have a good reason to see those permissions, hopefully someone with access can help, or at least grant you the Read permissions permission.
Parsing the text from subinacl will take work, as you've noticed. (Scroll down to the permission element for translations of those codes you're asking about.) I've never used ShareEnum from Sysinternals, but maybe that's a step in the right direction.
PowerShell's Get-Acl returns objects, maybe easier to report from. But before Get-Acl will see those subfolders, you might need to change object ownership. PowerShell can do that, depending on the context, but the admins might prefer a friendly knock before you start picking locks, if you catch my drift. Here is some guidance from Server Fault.
I've gotten comfortable using icacls to add people to file folders but now I am having trouble figuring out how to do the following:
on a folder with many children, g
get the existing permissions on the folder and store them
Add a bunch of new users, propogating to all children and turning on inheritance, replace and force (already working from previous scripts)
check the top level folder and remove any permissions not placed on in step 2.
now that the parent folder has the correct permissions and all children have inheritance set, set all children to have the same permissions as the parent (recompute acl inheritance?)
thanks for any help you all can provide, I just need a push to get into the right direction.
If you're using PowerShell, you don't need icacls (which returns text instead of objects) since you have have Get-Acl and Set-Acl. However, the help for those two commands is severely lacking, so I recommend supplementing with the .NET framework.
http://technet.microsoft.com/en-us/library/ff730951.aspx is a very good article on ACLs using the .NET framework in PowerShell. If you need more in depth information on System.Security.AccessControl, go to http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.
I have two questions really, both surrounding the same topic.
I need to be able to create a flat file and use this file to import the users listed in the file to a specific group in Active Directory. They will already exist in AD, just not be in the group.
Secondarily to that, I also need to be able to use similar methodologies to remove users from the AD group using a different flat file.
Can this be done? The list of users will be in the 100s so I really don't want to have to do it by hand....
Yes, this is possible with Powershell: Managing Active Directory with Windows PowerShell This is for Powershell 1.0, there are a lot of tutorials for the same task with Powershell 2, which is a lot easier.