I am writing a PowerShell script which would delete a specific user from all sub-directories.
Below script only removes the permission from the folder but I want to remove permission from all sub-folders as well.
$acl = get-acl c:\temp
$accessrule = New-Object System.Security.AccessControl.FileSystemAccessRule ("domain\user","Read",,,"Allow")
$acl.RemoveAccessRuleAll($accessrule)
Set-Acl -Path "c:\temp" -AclObject $acl
You are only setting the acl of the root folder. Set-Acl by itself does not allow you to propagate to subfolders.
Note that that might not be what you want anyway. You want to remove a rule from all folders instead of replacing the acls on all subfolders with the acl of your root folder.
Safer would be to get the acl of each subfolder, remove the rule and set the acl of each subfolder.
icaclscudo's to Ansgar might be better for this task. A Powershell way might be as follows
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow")
$root = 'c:\temp'
#(Get-Item $root) + #(Get-ChildItem $root -Recurse -Directory) | Foreach-Object {
$acl = Get-Acl $_.FullName
$acl.RemoveAccessRuleAll($accessrule)
Set-Acl $_.FullName -AclObject $acl -WhatIf
}
$Path = "c:\temp\"
$User = "admin"
$Account = new-object system.security.principal.ntaccount($User)
$ACL = Get-Acl -path $Path
$ACL.PurgeAccessRules($Account)
$ACL | Set-Acl -path $Path -Verbose
gci -Recurse -Path $Path -Directory | %{
$ACL = Get-Acl -path $_.FullName
$ACL.PurgeAccessRules($Account)
$ACL | Set-Acl -path $_.FullName -Verbose
}
Related
Hello I would like to know how I can change the domain of a folder > security parameter > property > MYDOMAIN\Adm_User I want to change only MYDOMAIN in Powershell thank you very much for your help
t$ACL = Get-ACL .\smithb
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path .\smithb\profile.v2 -AclObject $ACL
```
t$ACL = Get-ACL C:\Gabriel
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path C:\Gabriel -AclObject $ACL
```
Try this:
# Give Ownership using PowerShell
$ACL = Get-Acl -Path "C:\Gabriel"
$User = New-Object System.Security.Principal.Ntaccount("Builtin", "Administrators")
$ACL.SetOwner($User)
$ACL | Set-Acl -Path "C:\Gabriel"
Get-ACL -Path "C:\Gabriel"
We have a giant folder located at "D:\Economy" with hundreds of subfolders. We have a new employee which needs permissions for ALL those folders. Unfortunately there are alot of folders without inheritance, so when I add permissions on D:\Economy\ it doesnt apply to all folders.
Ive found many scrips which lists all the folders, but I can't figure out how to also apply permissions to them.
For instance, this command works for finding folders:
DIR "D:\Economy" -directory -recurse | GET-ACL | where {$_.Access.IsInherited -eq $false}
This command works for setting permissions, but it only applies to those with inheritance enabled:
path = "D:\Economy\"
$acl = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("MYCOMPANY\firstname.surname","Modify","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
So how do I merge those together?
This is something I wrote up but it doesnt work:
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("MYCOMPANY\firstname.surname","Modify","Allow")
$acl.SetAccessRule($AccessRule)
dir "D:\Economy\" -Directory -recurse | get-acl | Where {$_.AreAccessRulesProtected} | set-acl "D:\Economy\"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("MYCOMPANY\firstname.surname","Modify","Allow")
Get-ChildItem "D:\Economy\" -Directory -Recurse | %{
$acl = Get-Acl -Path $_.FullName
if ($acl.AreAccessRulesProtected) {
$acl.AddAccessRule($AccessRule)
$acl | Set-Acl -Path $_.FullName
}
}
Attempting to set the owner of a folder as Domain Admins and force inheritance on all sub-folder/files. Using a combination of scripts I've found:
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $DomainAdmins;
#Get a list of folders and files
$ItemList = Get-ChildItem -Path $Dir -Recurse;
#Iterate over files/folders
foreach ($Item in $ItemList) {
$Acl = $null; # Reset the $Acl variable to $null
$Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
$Acl.SetOwner($Account); # Update the in-memory ACL
$isProtected = $false
$preserveInheritance = $false
$Acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
Set-Acl -Path $Item.FullName -AclObject $Acl; # Set the updated ACL on the target item
}
Error: Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.
Some folders assign properly, however, not all. I suspect it breaks were there is no owner (possibly an account that's been removed from AD.)
Any ideas on how to approach this?
We will end up using this, even though it's not handling the long file paths correctly.
Import-Module -Name NTFSSecurity
#Remove Inheritance on user's root folder
Get-Item $UserRoot | Disable-NTFSAccessInheritance
#Add Domain Admin to user's root folder
Add-NTFSAccess -Path $UserRoot -Account 'BUILTIN\Administrators', 'yourDomain\Domain Admins' -AccessRights FullControl
#Set Inheritance on all sub-folders on user's directory
Get-ChildItem -Path $UserRoot -Recurse | Enable-NTFSAccessInheritance -PassThru
Check SetOwner() method for setting up owner for a folder
# Define the owner account/group
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators';
# Get a list of folders and files
$ItemList = Get-ChildItem -Path c:\test -Recurse;
# Iterate over files/folders
foreach ($Item in $ItemList) {
$Acl = $null; # Reset the $Acl variable to $null
$Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
$Acl.SetOwner($Account); # Update the in-memory ACL
Set-Acl -Path $Item.FullName -AclObject $Acl; # Set the updated ACL on the target item
}
Specify Inheritance in FileSystemAccessRule()
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
Check the SO1 and SO2 for further related information.
We have a server that houses the My Documents folder for all our users. Some of the folder owner changed to administrator. I am trying to devise a PowerShell script that goes to each user's root my documents folder and applies the user as the owner for all the sub folders and files with in it. Is this Possible?
I have the following from a previous script that attempted to set the user as full permissions per each my document root folder:
$FolderPath = "E:\mydocuredir\"
$MyDocsMain = Get-ChildItem -Path $FolderPath -Directory
Get-ChildItem -Path $FolderPath -Directory | ForEach-Object{
$HomeFolders = Get-ChildItem $FolderPath $_.Name -Directory
$Path = $HomeFolders.FullName
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Username = $_.Name
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'FullControl', 'ObjectInherit', 'InheritOnly', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}
Firstly ensure that the share and root folder permissions for redirected folders follow best practice.
I would use the NTFSSecurity PS Module (blog on its use). This module has commands that are much easier to understand as they follow they way your would set permissions via the GUI.
$FolderPath = "E:\mydocuredir"
Get-ChildItem -Path $FolderPath -Directory | ForEach-Object{
Add-NTFSAccess -Path $_.FullName -Account "domain\$($_.Name)" -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles
}
To set Owner, replace the Add-NTFSAccess command with:
Set-NTFSOwner -Path $_.FullName -Account "domain\$($_.Name)"
I am currently using the following script to export the permissions, take ownership of a folder and then remove all permissions from that folder. The folder list is taken from a text file.
$InputFile = "C:\temp\Folders.txt"
$OutputFile = "C:\temp\FolderPermissions.txt"
$FolderList = Get-Content $InputFile
foreach ($Folder in $FolderList) {
Get-Acl $folder | Format-List >>$OutputFile
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
$ACL = Get-ACL -Path $Folder
$Rules = $ACL.Access | Where-Object {$_.IdentityReference -notmatch 'Admin'}
foreach ($Rule in $Rules) {
[void]$ACL.RemoveAccessRule($Rule)
}
Set-Acl -Path $folder -AclObject $acl
}
I really want to be able to reverse this, but cannot figure out how to reapply the permissions from the file that it exports.
List format is okay for human readers, but it's not really suitable for restoring data from a file. Save the full path and SDDL of each folder to a CSV:
foreach ($Folder in $FolderList) {
Get-Acl $folder | Select-Object #{n='Path';e={$Folder.FullName}}, Sddl |
Export-Csv $OutputFile -NoType -Append
...
}
That should allow you to restore the security information like this:
Import-Csv $OutputFile | ForEach-Object {
$acl = Get-Acl -Path $_.Path
$acl.SetSecurityDescriptorSddlForm($_.Sddl)
Set-Acl -Path $_.Path -AclObject $acl
}