We have a large file share that houses about 1tb of data.
The following location has about 600 folders beneath it.
F:\Data
The task is to assign a specific AD group read permissions to every folder inside of the data folder, the subfolders do not matter.
I am trying to see if the script below would be the best approach?
my concern is this is a file server and I don't want to break anything
or mess up any rights, also not to sure if while the script is running and their
is a file open would it cause am error.
I have tried running this script in a test environment and it worked great , but there is no error log where even if it stopped somewhere i would be able to check.
I could be overthinking it, but just wanted to see if anyone has experienced anything like this?
$StartingPath = "PATH"
$Right = "Read"
$Principal = "Domain\ADGroup"
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow")
foreach ($Folder in $(Get-ChildItem -Directory $StartingPath -Recurse)) {
$Acl=Get-Acl $Folder.FullName
$Acl.SetAccessRule($Rule)
Set-Acl $folder.Fullname $Acl
}
You need to experiment with Inheritance and Propagation (use your test environment for that) and use the overloaded method with 5 parameters to create your new accessrule for that.
That way, you only add the new rule to the main data share folder and do not have to iterate all subfolders.
# FileSystemRights: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights
# Inheritance flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags
# Propagation flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags
$Principal = "TheADGroupWithReadPermissions"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal, "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl "F:\Data"
$acl.SetAccessRule($accessRule)
Set-Acl -Path "F:\Data" -ACLObject $acl
Difference between AddAccessRule() and SetAccessRule():
AddAccessRule
SetAccessRule
This method will add this access rule to the ACL. If a user or group has Modify permission and we use AddAccessRule() to create a new rule with Read permission the user or group will still also have Modify permissions.
This method removes any existing access and replaces that access with the specified rule. If a user or group has Modify permission and a new rule is created using SetAccessRule() specifying Read permission, that user or group will now only have Read permission.
Related
I try to implement a script which changes folder structure permission depending on some conditions. So far I set permissions with
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$($group.Name)", #("$($group.Value.rights)"), "ContainerInherit, ObjectInherit", "None", "$($group.Value.type)")
$aclFolder.AddAccessRule($accessRule)
Set-Acl $folder $aclFolder
So far it works. But the script currently assumes, that a permission does exist. It it does not, the AddAccessRule command throws and error.
Is there any way recognize a permission exists?
Use Get-Acl $folder to read the current ACL and to verify if there are any permissions applied already.
I'm applying "Read" permissions to a folder for a certain user. I want them to be able to read notepad files inside.
$Acl = Get-Acl "C:\Test"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Test" $Acl
My code properly applies the read permissions to the folder (I can manually check the "Security tab to see this), but does not grant access to the files inside. Access is denied when "MyUser" tries to open a notepad file.
You need to use another constructor so you can set InheritanceFlags for containers and leaf objects. Try:
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","ContainerInherit,ObjectInherit", "None", "Allow")
I used to create and map the home directory for new AD users in Active Directory Users and Computers GUI with following syntax:
\FileServer\users\%username%
This trick automatically creates home directory for user in FileServer and automatically grant full control to user on the directory. I was wondering what could be the PowerShell way of doing the same.
I think first of all you should get the User.
$user = get-ADUser -Filter { Name -like "Mike" }
Then create a Folder New-Item, something like:
$sac = $user.SamAccountName
$folder = New-Item \\Server\Filesystem\$sac -Type Directory
And then you have to set the permissions via Set-ACL
create new acl object
$AclOb = New-Object
System.Security.AccessControl.FileSystemAccessRule("domain\$sac", 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
The security identifier (domain$sac);The right (FullControl);
Inheritance settings (ContainerInherit,ObjectInherit) which means to force all folders and files underneath the folder to inherit the permission we’re setting here;
Propagation settings (None) which is to not interfere with the inheritance settings;
Type (Allow).
and set-acl
Set-Acl -Path $folder.FullName -AclObject $AclOb
Greetz Eldo.Ob
The problem I need to solve is I need to make a folder on a network share for a newly created user. This is done by System Center Orchestrator, after the user is created I need to copy a dummy folder with certain rights, add the newly created user in the ACL's and delete the workflow account from those ACL's. (the user that creates the folder gets added automaticly.)
The folder gets created succesfully and gets the same permissions as the dummy folder, now I need to add 1 ACL rule to those permissions.
Here is some sample code I'm using:
$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("domain\createdUser1")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule (
$objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType
)
$originalACL = Get-ACL "\\shares\createdUser1"
#$orignalACL.SetAccessRuleProtection($True,$False)#doesn't help either
$originalACL.AddAccessRule($objACE)
Set-ACL "\\shares\createdUser1" $objACL
The only problem I'm having is that it doesn't add the ACL rule but it overwrites all rules that this folder currently has. How can I add 1 rule to to an existing ACL without overwriting the original rules?
source sample code: https://technet.microsoft.com/en-us/library/ff730951.aspx
EDIT1:
Using the module provided on https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/ does the same thing. Am I doing something wrong?
$colRights = "Read, Write"
$objUser = New-Object System.Security.Principal.NTAccount("domain\createdUser1")
Add-NTFSAccess -Path $folderPath -Account $objUser -AccessRights $colRights
There's nothing in your code that would remove ACLs except for the (now commented) line
#$orignalACL.SetAccessRuleProtection($True,$False)
That line will remove inherited ACLs, so of course it won't help.
From the documentation:
Syntax
public void SetAccessRuleProtection(
bool isProtected,
bool preserveInheritance
)
Parameters
isProtected
true to protect the access rules associated with this ObjectSecurity object from inheritance; false to allow inheritance.
preserveInheritance
true to preserve inherited access rules; false to remove inherited access rules. This parameter is ignored if isProtected is false.
I suspect you ran that line once before, thus removing inherited ACLs. To correct that mistake you need to re-enable inheritance first, either manually or by calling SetAccessRuleProtection() with the first parameter set to $false:
$orignalACL.SetAccessRuleProtection($false, $true)
This piece of code worked for me:
$colRights = "Read, Write"
$objUser = New-Object System.Security.Principal.NTAccount("domain\createdUser1")
add-NTFSAccess -Path $folderPath -Account $objUser -AccessRights $colRights
We ran it from an other user account and suddenly the code worked. This was found by testing the script on local folders. Here it didn't delete any other ACL's. This will probably be something with share permissions or security permissions. (locally I'm full admin but on the shares I'm not.)
The problem is here:
Set-ACL "\\shares\createdUser1" $objACL
Change to this:
Set-ACL "\\shares\createdUser1" $originalACL
You had modified the $originalACL when you ran $originalACL.AddAccessRule($objACE)
I am looking for a way, where i run a script using powersell, that goes through a folder structure and set certain NTFS permissions only to a folder with a name "Submissions", so if there is any folder called "Submissions" within the folder structure, it will set it to NTFS permissions that i specified..
Any info will help me to start this!
http://s22.postimg.org/r769bcr01/Capture.png
Lets say i have this many folders, and in each folder, the structure is the same:
http://s15.postimg.org/pqh8leph7/sasa.png
So i need to aim at 04_architecture for example, and apply certain NTFS permissions, using powershell.
Maybe this is a starting point:
# find all submissions directories
$submissions = Get-ChildItem -Path "YOUR START PATH e.g. c:\test" -Recurse -Filter "Submissions" -directory
foreach($submission in $submissions)
{
# get the current submission directory acl
$acl = Get-ACL $submission.FullName
# create a new acl. Example:
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
# add and set the new created acl to the directory
$acl.AddAccessRule($accessRule)
Set-Acl $submission.FullName $acl
}