I created this script that will create a folder for each user that has a title of Customer Service Representative on a UNC path.There is a users group that is inherited from the parent. How can I remove that users group?
$names = (Get-ADUser -Filter 'Title -eq "Customer Service Representative"').name
foreach ($name in $names)
{
New-Item -ItemType "directory" -Path "\\unc\$name" -ErrorAction SilentlyContinue
$path = "\\unc\$name" #Replace with whatever file you want to do this to.
$user = "domain\group" #User account to grant permisions too.
$Rights = "Full" #"Read, ReadAndExecute, ListDirectory" #Comma seperated list.
$InheritSettings = "Containerinherit, ObjectInherit" #Controls how permissions are inherited by
children
$PropogationSettings = "None" #Usually set to none but can setup rules that only apply to children.
$RuleType = "Allow" #Allow or Deny.
$acl = Get-Acl $path
$perm = $user, $Rights, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
}
Not sure if you're comfortable with an add-on, but you may want to check out this NTFS PowerShell module:
I've been using it for years. It's quite capable, and very easy to use.
From an admin console of PowerShell
install-package ntfssecurity
Before your closing { add the line
Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path $path -AccessType Deny -AppliesTo ThisFolderSubfoldersAndFiles
At least, that's what I'm guessing would be appropriate? Haven't studied your code that deeply to know what you're doing exactly. I'd probably drop it in right after folder creation, but that doesn't appear to happen in here?
Related
Attempting to set the owner of a folder as Domain Admins and force inheritance on all sub-folder/files. Using a combination of scripts I've found:
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $DomainAdmins;
#Get a list of folders and files
$ItemList = Get-ChildItem -Path $Dir -Recurse;
#Iterate over files/folders
foreach ($Item in $ItemList) {
$Acl = $null; # Reset the $Acl variable to $null
$Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
$Acl.SetOwner($Account); # Update the in-memory ACL
$isProtected = $false
$preserveInheritance = $false
$Acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
Set-Acl -Path $Item.FullName -AclObject $Acl; # Set the updated ACL on the target item
}
Error: Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.
Some folders assign properly, however, not all. I suspect it breaks were there is no owner (possibly an account that's been removed from AD.)
Any ideas on how to approach this?
We will end up using this, even though it's not handling the long file paths correctly.
Import-Module -Name NTFSSecurity
#Remove Inheritance on user's root folder
Get-Item $UserRoot | Disable-NTFSAccessInheritance
#Add Domain Admin to user's root folder
Add-NTFSAccess -Path $UserRoot -Account 'BUILTIN\Administrators', 'yourDomain\Domain Admins' -AccessRights FullControl
#Set Inheritance on all sub-folders on user's directory
Get-ChildItem -Path $UserRoot -Recurse | Enable-NTFSAccessInheritance -PassThru
Check SetOwner() method for setting up owner for a folder
# Define the owner account/group
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators';
# Get a list of folders and files
$ItemList = Get-ChildItem -Path c:\test -Recurse;
# Iterate over files/folders
foreach ($Item in $ItemList) {
$Acl = $null; # Reset the $Acl variable to $null
$Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
$Acl.SetOwner($Account); # Update the in-memory ACL
Set-Acl -Path $Item.FullName -AclObject $Acl; # Set the updated ACL on the target item
}
Specify Inheritance in FileSystemAccessRule()
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
Check the SO1 and SO2 for further related information.
Example of the goal, the crossout is the same user.
I've created a script that creates a folder based on users SAMaccount and it works like it should, it also gives full control on the folder, not inherited.
My goal is to set another set of full control permissions for the same user, but inherited from the "top folder" and the full control should should only applie to "this folder only"
My script so far is below:
$users = Get-ADUser -filter * -SearchBase "OU=Test,OU=Users,OU=Bla Groups,DC=Bla,DC=local" |
Select-Object -ExpandProperty sAMAccountName
ForEach($user in $users)
{
$newPath = Join-Path "c:\Temp\Test" -childpath $user
New-Item $newPath -type directory -Force
$acl = (Get-Item $newpath).GetAccessControl('Access')
$permission = "Bla.local\$user","FullControl",#("ContainerInherit","ObjectInherit"),"None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}
Written below code to grant domain user privilege to folder in windows 2016. In output I can see that the user is added in folder permissions but did not add any permission though I mentioned to give full control access.
$rule=new-object System.Security.AccessControl.FileSystemAccessRule("domain\group","FullControl","Allow")
foreach ($file in $(Get-ChildItem "G:\usr" -recurse))
{
$acl=get-acl $file.FullName
$acl.SetAccessRule($rule)
set-acl $File.Fullname $acl
}
For recursive permissions you need to set ContainerInherit,ObjectInherit
Here is an example (Note it's not my code):
$Path = "C:\temp\New folder"
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Username = "Domain\User"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
For more details take a look at http://www.tomsitpro.com/articles/powershell-manage-file-system-acl,2-837.html
I have a PowerShell script that I wrote to create a subfolder "Admin", if it doesn't already exist, in over 4000 folders in a shared directory. After creating the subfolders I need the permissions of the subfolders to only be for a specific group within the domain. I get no errors, other than the folder already exist errors on the subfolder, but I let the script run for 12 hours and it never completed. I stopped the script to find that all the Admin subfolders were created but the permissions were not set.
If I take out the * wildcard in the $folder add input a folder name it works perfectly. How can I get it work with the * wildcard so I don't have to manually enter over 4000 folder names?
Here is my script:
# If the folder for Equipment Images does not exist, make a new one and set the correct permissions.
$Location = "E:\Images\Equipment\*\"
$file = "E:\Images\Equipment\*\Admin"
foreach ($_ in (Get-ChildItem E:\Images\Equipment\*\)) {
if (($_.PSIsContainer -AND $_.name -eq "Admin")-eq $false) {
New-Item -Path $location -Name "Admin" -ItemType directory
$errorActionPreference = "continue"
}
$folder = "E:\Images\Equipment\*\Admin"
$acl = Get-Acl $folder
if ($acl.AreAccessRulesProtected) {
$acl.Access | % {$acl.purgeaccessrules($_.IdentityReference)}
} else {
$isProtected = $true
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
}
$account = "recoequip\folder sales group"
$rights = [System.Security.AccessControl.FileSystemRights]::FullControl
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]::None
$allowdeny = [System.Security.AccessControl.AccessControlType]::Allow
$dirACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($account,$rights,$inheritance,$propagation,$allowdeny)
$ACL.AddAccessRule($dirACE)
Set-Acl -aclobject $ACL -Path $folder
Write-Host $folder Permissions added
}
Just don't use the wildcard with any Acl cmdlets, I don't think that will work.
Set the permission on a single folder in the loop before, or if you have to do it later, just loop through all the folders and set the permissions on all admin folders individually, one by one.
Some tips:
Start with a small sub-set of the 400 folders for testing, and Write-Host the currently processed folder so you can see the progress.
Code sample:
Get-ChildItem E:\Images\Equipment\ -Directory -Filter "admin" -Recurse | ForEach-Object {
$acl = Get-Acl $_.FullName
... # do your permission stuff
}
I am doing a powershell script which creates new domain user accounts in AD, and also creating home directories in the file server with relevant permissions.
My problem is I cannot get the permissions set.
In the code below, my_fileServer is the file server name; sso means single-sign-on id, which in the test code below is set to "user9999".
Any help is greatly appreciated!
Set-Variable homeDir -option Constant -value "\\my_fileServer\Users"
Set-Variable sso -option Constant -value "user9999"
# If the folder for the user does not exist, make a new one and set the correct permissions.
if ( (Test-Path "$homeDir\$sso") -eq $false)
{
try
{
$NewFolder = New-Item -Path $homeDir -Name $sso -ItemType "Directory"
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl,Modify,ReadAndExecute,ListDirectory,Read,Write"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount "my_full_domain_name\$sso"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
$ACL = get-acl -Path $NewFolder
$ACL.AddAccessRule($objACE)
$objReturn = Set-ACL -Path "$homeDir\$sso" -AclObject $ACL
$objReturn
}
catch
{
$msg = $_
$msg
}
}
The home folder gets created OK, but when I check the permissions for the user, no box is ticked.
The problem is your inhertiance. You are not allowing the permission to be inherited on subfolders and files(items he owns in his folder). That's why you don't see the permissions(only "Special Permission") in the basic security window. If you open "Advanced Security Settings" you will see that the user has full control OVER THIS folder, and not the contents. As long as you add permissions(with inheritance) for CREATOR OWNER so the owner get's access on to items, I think you'll be fine. However, you could fix it already now like this:
$InheritanceFlag = #([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
Unless there are special requirements, you should give users complete access over his folder(full inheritance). Full solution with fixed inheritance (I also cleaned up your Set-ACL path and removed unnecessary returnobject):
try
{
$NewFolder = New-Item -Path $homeDir -Name $sso -ItemType "Directory"
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl,Modify,ReadAndExecute,ListDirectory,Read,Write"
$InheritanceFlag = #([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount "my_full_domain_name\$sso"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
$ACL = Get-Acl -Path $NewFolder
$ACL.AddAccessRule($objACE)
Set-ACL -Path $NewFolder.FullName -AclObject $ACL
}
I sadly can't vote up, but I agree with both answers above(Graimer and C.B.), the actual answer is a combination of both.
- You need to check permissions in the "advanced" window
- Even though your code "works", without inheritance your users won't be able to do much in the folder you assign them.
All the permissions are correctly set as 'Special Permmissions', you can check clicking on Advanced and look at 'Authorization' tab.
Keep it simple, do it with less... What you missed is the SetAccessRuleProtection function.
Here's the code that will give you the ticks that you want.
if (-not (Test-Path "$homeDir\$sso"))
{
$acl = Get-Acl (New-Item -Path $homedir -Name $sso -ItemType Directory)
# Make sure access rules inherited from parent folders.
$acl.SetAccessRuleProtection($false, $true)
$ace = "$domain\$sso","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($ace)
$acl.AddAccessRule($objACE)
Set-ACL -Path "$homeDir\$sso" -AclObject $acl
}