The following script is taking a long time to apply for folder permissions.
$path = 'C:\inetpub\Testbuild\folder'
$acl = Get-Acl -Path $path
$acl.SetAccessRuleProtection($true,$False)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$object = New-Object System.Security.Principal.Ntaccount("BUILTIN\Administrators")
$acl.SetOwner($object)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$permission = 'BUILTIN\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$permission = 'BUILTIN\IIS_IUSRS', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
Because of inheritance and propagation, setting permissions on folders with a lot of subfolders and/or items will take its time.
However, you could speed up by removing lines 13 and 14 and change line 17 to $acl.AddAccessRule($rule).
That way the script won't have to set the new permissions on all underlying folders and files twice but will do it for both groups in one go.
# first step is to set the owner
$path = 'C:\inetpub\Testbuild\folder'
$acl = Get-Acl -Path $path
$acl.SetAccessRuleProtection($true,$False)
$acl | Set-Acl -Path $path
$acl = Get-Acl -Path $path
$object = New-Object System.Security.Principal.Ntaccount("BUILTIN\Administrators")
$acl.SetOwner($object)
$acl | Set-Acl -Path $path
# next step is to set permissions for two groups
$acl = Get-Acl -Path $path
# first group
$permission = 'BUILTIN\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# second group
$permission = 'BUILTIN\IIS_IUSRS', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.AddAccessRule($rule)
# set the permissions
$acl | Set-Acl -Path $path
Hope that helps
Related
I am trying to use the "default" options in applying folder permissions; by that, I mean that using the "Full Controll, Write, Read, etc" in the 'Properties' for a folder.
The following script works to add the user in, but it applies "Special Permissions" - not the ones with the tick boxes for the ones visible in the properties menu of the folder:
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule ("user","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
What am I doing wrong please?
Specifying inheritance in the FileSystemAccessRule() constructor fixes this, as demonstrated by the modified code below (notice the two new constuctor parameters inserted between "FullControl" and "Allow").
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
According to this topic
"when you create a FileSystemAccessRule the way you have, the
InheritanceFlags property is set to None. In the GUI, this
corresponds to an ACE with the Apply To box set to "This Folder Only",
and that type of entry has to be viewed through the Advanced
settings."
I have tested the modification and it works, but of course credit is due to the MVP posting the answer in that topic.
Referring to Gamaliel 's answer: $args is an array of the arguments that are passed into a script at runtime - as such cannot be used the way Gamaliel is using it.
This is actually working:
$myPath = 'C:\whatever.file'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "Domain\User","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl
Another example using PowerShell for set permissions (File / Directory) :
Verify permissions
Get-Acl "C:\file.txt" | fl *
Apply full permissions for everyone
$acl = Get-Acl "C:\file.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\file.txt"
Screenshots:
Hope this helps
In case you need to deal with a lot of folders containing subfolders and other recursive stuff. Small improvement on #Mike L'Angelo:
$mypath = "path_to_folder"
$myacl = Get-Acl $mypath
$myaclentry = "username","FullControl","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force | Set-Acl -AclObject $myacl -Verbose
Verbosity is optional in the last line
This One work for me
$path = "C:\test"
$name = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl "C:\test"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($name,"FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\test"
Get-ChildItem -Path "$path" -Recurse -Force | Set-Acl -aclObject $acl -Verbose
$path = "C:\DemoFolder"
$acl = Get-Acl $path
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Attribs = $username, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
$AccessRule = New-Object System.Security.AcessControl.FileSystemAccessRule($Attribs)
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
Get-ChildItem -Path "$path" -Recourse -Force | Set-Acl -aclObject $acl -Verbose
I'm creating a script so lesser capable techs can quickly and easily setup server side folders. I've been able to create the folder, related AD security groups and started assigning permissions, but I got stuck when I had 1 security groups listed twice.
Basically I have a FolderA_Ro and FolderA_RW groups with FolderA_RW being listed twice.
FolderA_RW - SPECIAL - Traversal, List folder, Read attributes, Read extended attributes, Create files, Create folders, Read permissions - This folder only
FolderA_RW - Modify - Subfolders and files only
This prevents users from renaming the folder and anything else they might do that can't be predicted. Yes, I've had a lot of issues with these kinds of things happening.
I can add the first one without issue, but I can't seem to get it to add the second. Any ideas? Here's my code...
$RFolder = read-host "folder name"
$path = "C:$($RFolder)"
<# Remove all NTFS permissions #>
$acl = Get-Acl $path
$acl.Access | %{$acl.RemoveAccessRule($_)}
Set-Acl $path $acl
<# Remove inheritence #>
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
<# Assign NTFS permissions #>
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\Domain Users","Delete, ChangePermissions, TakeOwnership", "None", "None", "Deny")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_Ro","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_RW","CreateFiles,AppendData,ReadAndExecute", "None", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("PMGTINC\SEC_$($RFolder)_RW","Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
You could modify your script to something like this:
$RFolder = read-host "folder name"
#Define some variables
$path = "C:\$($RFolder)"
$domain="PMGTINC"
$RoGroup="$domain\SEC_$($RFolder)_Ro"
$RWGroup="$domain\SEC_$($RFolder)_RW"
<# Remove all NTFS permissions #>
$acl = Get-Acl $path
$acl.Access | %{$acl.RemoveAccessRule($_)}
Set-Acl $path $acl
<# Remove inheritence #>
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
<# Assign NTFS permissions #>
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Users","Delete, ChangePermissions, TakeOwnership", "None", "None", "Deny")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RoGroup","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RWGroup","CreateFiles,AppendData,ReadAndExecute", "None", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$RWGroup","Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
#Append the AccessRule to the ACL
$acl.AddAccessRule( $AccessRule )
#Push settings
Set-Acl -AclObject $acl $path
Im newbie in powershell and trying to figure out a way to set folder permissions for Authenticated Users. I want to remove all permissions for this user except Read&Execute.
I've tried to code below but it doesnt quite give the result I want:
$folder = 'C:\folder'
#remove inheritance
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
#set folder permissions to Read&Execute
$user = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList #([System.Security.Principal.WellKnownSidType]::AuthenticatedUserSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $folder -AclObject $acl
Hello I would like to know how I can change the domain of a folder > security parameter > property > MYDOMAIN\Adm_User I want to change only MYDOMAIN in Powershell thank you very much for your help
t$ACL = Get-ACL .\smithb
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path .\smithb\profile.v2 -AclObject $ACL
```
t$ACL = Get-ACL C:\Gabriel
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path C:\Gabriel -AclObject $ACL
```
Try this:
# Give Ownership using PowerShell
$ACL = Get-Acl -Path "C:\Gabriel"
$User = New-Object System.Security.Principal.Ntaccount("Builtin", "Administrators")
$ACL.SetOwner($User)
$ACL | Set-Acl -Path "C:\Gabriel"
Get-ACL -Path "C:\Gabriel"
I have a folder
C:\TEMP
inside there is subfolder
C:\TEMP\a C:\TEMP\b and a file name apple.txt
how can I change all the permissions to Everyone with full control access using powershell script?
Thanks
$user = "domain\user"
$Folders = Get-childItem c:\TEMP\
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$Folders | %{
$Folder = $_
$acl = Get-Acl $Folder
$permission = $user,"Modify", $InheritanceFlag, $PropagationFlag, $objType
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl $Folder $acl
}
Thanks for your answer. I made some corrections and enhances (a keyword/expected pattern)
$user = "everyone"
$Folders = Get-childItem -Directory F:\SITE\
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$keyword = "PublicTempStorage"
$Folders | %{
$Folder = $_
$acl = Get-Acl $Folder.FullName
$permission = $user,"Modify", $InheritanceFlag, $PropagationFlag, $objType
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
if ($Folder -match $keyword)
{
Set-Acl -AclObject $acl -Path $Folder.FullName
}
}