I have two files, one with a list of the security groups and one with the corresponding folder path. All I need to do is loop through these files and apply the correct security group recursive RW access to the correct folder.
So security group on line 1 would apply to the folder on line 1.
Powershell script:
foreach ($group in gc c:\temp\securitygroups.txt) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($group, 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
foreach ($folder in gc c:\temp\folders.txt) {
$acl = Get-Acl $folder
$acl.SetAccessRule($rule)
Set-Acl $folder $acl
}
}
securitygroups.txt:
securitygroup1
securitygroup2
securitygroup3
securitygroup4
securitygroup5
securitygroup6
securitygroup7
securitygroup8
securitygroup9
securitygroup10
folders.txt:
D:\shares\projects\project1
D:\shares\projects\project2
D:\shares\projects\project3
D:\shares\projects\project4
D:\shares\projects\project5
D:\shares\projects\project6
D:\shares\projects\project7
D:\shares\projects\project8
D:\shares\projects\project9
D:\shares\projects\project10
At the moment every security group in securitygroups.txt is being added to each folder in the list, this is not what I want, I want securitygroup1 adding to project1, securitygroup2 adding to project2 etc.
Read both files into variables, then use a for loop to iterate over both arrays at the same time:
$groups = Get-Content 'c:\temp\securitygroups.txt'
$folders = Get-Content 'c:\temp\folders.txt'
for ($i=0; $i -lt $folders.Count; $i++) {
$rule = New-Object Security.AccessControl.FileSystemAccessRule ($groups[$i], 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl = Get-Acl $folders[$i]
$acl.SetAccessRule($rule)
Set-Acl $folders[$i] $acl
}
Related
I want to copy all the users/Groups from a NAS path which is DEV environment to UAT NAS path which have same folder structure using Powershell. I am using Powershell ver 5.1.
I tried to do using the following command :
$acl = (Get-Item $prod_path).GetAccessControl('Access')
$acl | Set-Acl -Path $non_prod_path
try {
foreach ($usr in ($prod_acl.access | where { $_.IsInherited -eq $True -and $_.AccessControlType -eq 'Allow' })) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$usr.IdentityReference,
"Read",
$usr.InheritanceFlags,
$usr.PropagationFlags,
$usr.AccessControlType
)
# Calling SetAccessRule() is like calling Remove() then Add()
$prod_acl.SetAccessRule($rule)
}
(Get-Item $non_prod_path).SetAccessControl($prod_acl)
} catch { continue }
But its giving me an error saying Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege
which is required for this operation..
Any help would be really appreciated.
I have a below powerShell script that creates homedrive for user,
Import-Module ActiveDirectory 2>&1 | Write-Host;
if($?)
{
$homeDir = "\\CORP.com\HOME\Jdoe";
$user = "jdoe";
$domain = "Corp";
New-Item "$homeDir" -type directory;
$acl = Get-Acl "$homeDir";
$permission = "$domain\$user","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow";
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission;
$acl.SetAccessRule($accessRule);
$acl | Set-Acl "$homeDir";
}
Values within $homeDir and $User will be passed on runtime basis.
How to execute above script along with pass runtime values in $homeDir and $User attribute.
I have tried to execute,
. 'C:\hd.ps1' $homeDir = "\\CORP.com\HOME\test" $user = "test" ; without success.
Can anyone guide, what i am doing incorrect.
Put
param(
$homeDir,
$user
)
At the top of the script and call using
Powershell -File "C:\hd.ps1" -homeDir "\\CORP.com\HOME\test" -user "test"
Why are you doing this?
Import-Module ActiveDirectory 2>&1 | Write-Host;
If you are on the DC doing this or if you have the RSAT tools on your workstation, if you are on PowerShell v3+ or higher, this gets auto loaded the moment you use an AD cmdlet.
Also never user Write-Host for anything that you plan to need later. It empties / clears the buffer. Write-Host is only good for text coloring or other formatting needs in s
Make this a collection from a file for example and just read it in. I'm just using a list here:
$UserFile = #'
Property,Value
homeDir,\\CORP.com\HOME\Jdoe
user,jdoe
Targetdomain,Corp
'# | ConvertFrom-Csv
# Results
Property Value
-------- -----
homeDir \\CORP.com\HOME\Jdoe
user jdoe
Targetdomain Corp
If you are doing this from a remote machine, then you cannot use local varibles in a remote session unless you set its scope.
Get-Help about_remote_variables -Full
About Remote Variables
LONG DESCRIPTION
You can use variables in commands that you run on remote
computers.Simply assign a value to the variable and then use the
variable inplace of the value.
By default, the variables in remote commands are assumed to be
definedin the session in which the command runs. You can also use
variablesthat are defined in the local session, but you must identify
them aslocal variables in the command.
USING LOCAL VARIABLES
You can also use local variables in remote commands, but you
mustindicate that the variable is defined in the local session.
Beginning in Windows PowerShell 3.0, you can use the Using
scopemodifier to identify a local variable in a remote command.
The semi-colons are not needed in PowerShell, unless the items are on the same line.
You cannot call this code this way...
'C:\hd.ps1' $homeDir = "\\CORP.com\HOME\test" $user = "test"
... since you did not specify any params in your code.
So, something like this...
Note: I am not in a position to test this... please do only in a test environment
So this is off the cuff...
ForEach($UserLine in $UserFile)
{
New-Item $UserLine.homeDir -type directory
$acl = Get-Acl $UserLine.homeDir
$permission = ($Using:UserLine.Targetdomain + '\' + $Using:UserLine.user),'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $Using:UserLine.homeDir
}
If you want this to be a parameterized function, then this.,.
Function New-ADUserHomeDirSettings
{
[cmdletbinding()]
Param
(
[string]$homeDir,
[string]$user,
[string]$Targetdomain
)
$acl = Get-Acl $UserLine.homeDir
$permission = ($Using:UserLine.Targetdomain + '\' + $Using:UserLine.user),'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $Using:UserLine.homeDir
}
New-ADUserHomeDirSettings -homeDir '' -user '' -Targetdomain ''
I found the following which seems to work for what it is, but I need 2 things changed, and can't figure it out.
$acl = Get-Acl D:\New
$permission = "Everyone","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl D:\New
I need to be able to give "HomeGroup" permission, not "Everyone".
I need this to recurse all folders.
When in doubt, read the documentation. You need to change the identity from "Everyone" to "$env:COMPUTERNAME\HomeGroup" and set the appropriate inheritance and propagation flags.
$identity = "$env:COMPUTERNAME\HomeGroup"
$accessRight = 'Read'
$inheritance = 'ContainerInherit, ObjectInherit'
$propagation = 'None'
$type = 'Allow'
$accessRule = New-Object Security.AccessControl.FileSystemAccessRule (
$identity, $accessRight, $inheritance, $propagation, $type
)
I would like this powershell script to create a new directory, and add/assign permissions with a group.
The group is adding, but the permissions are not showing under Properties on the Security tab. If going to Advances security the permissions do show there.
Also, the parent folder permissions are not being removed from the new child folder as desired.
$groups = "DOMAIN\GROUP"
$Perm = "MODIFY"
$Permission = [System.Security.AccessControl.FileSystemRights] $Perm
$AllInherit = [System.Security.AccessControl.InheritanceFlags] "None"
$AllPropagation = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$path = "c:\temp\test"
new-item -path $path -itemtype directory -force
$group = $groups
$GetACL = Get-Acl $Path
$Access = New-Object System.Security.Principal.NTAccount ($group)
$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $perm, $AllInherit, $Allpropagation, "Allow")
$GetACL.SetAccessRule($AccessRule)
SET-ACL -PATH $path $getacl
Here's a function I wrote for a similar purpose:
function Add-AclEntry {
# Adds a new entry to the specified file system object ACL. For
# folders the new permissions are applied recursively.
# Returns: null.
param(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[String]$sPath,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
# Access group (full notation).
[String]$sGroup,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
# List of access rights, comma separated.
[String]$sRights,
[Parameter(Mandatory=$false)]
[ValidateSet("Allow", "Deny")]
[String]$sType = "Allow"
)
$cRights = [System.Security.AccessControl.FileSystemRights]$sRights
$oType = [System.Security.AccessControl.AccessControlType]::$sType
$oGroup = New-Object -TypeName System.Security.Principal.NTAccount($sGroup)
# Inheritance flags: full inheritance.
if ((Get-Item $sPath).PSIsContainer) {
$oInheritanceFlags = (`
[System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
} else {
$oInheritanceFlags = `
[System.Security.AccessControl.InheritanceFlags]::None
}
$oPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None
# Creating access control entry and adding it to the ACL.
$oAce = New-Object `
-TypeName System.Security.AccessControl.FileSystemAccessRule `
($oGroup, $cRights, $oInheritanceFlags, $oPropagationFlags, $oType)
$oAcl = Get-Acl -Path $sPath
$oAcl.AddAccessRule($oAce)
Set-Acl -Path $sPath -AclObject $oAcl
return $null
}
Example usage (adding Modify permissions for Authenticated Users group):
$sGroup = "NT AUTHORITY\Authenticated Users"
$sRights = "Delete, Read, Traverse, Write"
Add-AclEntry -sPath $sFolder -sGroup $sGroup -sRights $sRights
Hope that helps.
I have a question about Get-Acl in Powershell. I keep getting the error message, "Access to the path is denied". I want to change the owner of the folder to myself and then give myself full permissions to the folder using Powershell. Here's the line of code giving me the error:
$acl = Get-Acl "C:\SomeFolder"
I am using Windows Explorer to set the permissions on "SomeFolder" before running the script. They are as follows:
no entries in the access control list
owner is not myself
I do not receive the error message if I make myself the owner using the Windows Explorer GUI before running the Powershell script. I don't understand why I am allowed to change the owner with Windows Explorer but not using Powershell? I have full admin rights on this machine. Windows 7, Powershell 2.0, .NET 3.5.
I'm assuming the only way to change the owner is to use Get-Acl, set owner on the ACL, then use Set-Acl to write it back to the folder. If there is another way, please let me know? How can I change the owner of the folder using Powershell?
Windows Vista and up include a command-line tool named takeown.exe which can be used from an elevated command prompt (or elevated powershell console) to change the ownership of a file system object.
takeown /F "C:\SomeFolder" /R /D Y
should give you ownership on C:\SomeFolder and the file system objects it contains.
I have some system configuration scripts from our build guy and I recall a note about the Get-Acl command "not working well on certain paths".
# NOTE: This method does not work well?
#$acl = Get-Acl -Path $Path
The kinds of paths we were setting permissions on were empty folders created by an administrator user later captured in a disk image. This is the PowerShell command that we used instead.
$acl = (Get-Item $path).GetAccessControl("Access")
Oh, and it gets real obscure once you have an ACL object. I don't know if this is the best way to do it, but it's a snippet from the same script I refer to above.
$acl = (Get-Item $path).GetAccessControl("Access")
# Setup the access rule.
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule $user, $permissions, $allInherit, $allPropagation, "Allow"
# Check if Access already exists.
if ($acl.Access | Where { $_.IdentityReference -eq $User})
{
$accessModification = New-Object System.Security.AccessControl.AccessControlModification
$accessModification.value__ = 2
$modification = $false
$acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
}
else
{
$acl.AddAccessRule($AR)
}
Set-Acl -AclObject $acl -Path $Path
the above code worked great. wanted to post a tweak for recursively going through directory and filling in some "missing"
$HomeFolders = Get-ChildItem "put your directory root here" -Directory -recurse
foreach ($HomeFolder in $HomeFolders) {
$Path = $HomeFolder.FullName
$acl = (Get-Item $Path).GetAccessControl('Access')
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$permissions = "FullControl"
$Username = "<put your name here>"
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, $permissions, $allInherit, $allPropagation, "Allow")
if ($acl.Access | Where { $_.IdentityReference -eq $Username})
{
$accessModification = New-Object System.Security.AccessControl.AccessControlModification
$accessModification.value__ = 2
$modification = $false
$acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
}
else
{
$acl.AddAccessRule($AR)
}
Set-Acl -path $Path -AclObject $Acl
}