Example of the goal, the crossout is the same user.
I've created a script that creates a folder based on users SAMaccount and it works like it should, it also gives full control on the folder, not inherited.
My goal is to set another set of full control permissions for the same user, but inherited from the "top folder" and the full control should should only applie to "this folder only"
My script so far is below:
$users = Get-ADUser -filter * -SearchBase "OU=Test,OU=Users,OU=Bla Groups,DC=Bla,DC=local" |
Select-Object -ExpandProperty sAMAccountName
ForEach($user in $users)
{
$newPath = Join-Path "c:\Temp\Test" -childpath $user
New-Item $newPath -type directory -Force
$acl = (Get-Item $newpath).GetAccessControl('Access')
$permission = "Bla.local\$user","FullControl",#("ContainerInherit","ObjectInherit"),"None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}
Related
Attempting to set the owner of a folder as Domain Admins and force inheritance on all sub-folder/files. Using a combination of scripts I've found:
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $DomainAdmins;
#Get a list of folders and files
$ItemList = Get-ChildItem -Path $Dir -Recurse;
#Iterate over files/folders
foreach ($Item in $ItemList) {
$Acl = $null; # Reset the $Acl variable to $null
$Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
$Acl.SetOwner($Account); # Update the in-memory ACL
$isProtected = $false
$preserveInheritance = $false
$Acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
Set-Acl -Path $Item.FullName -AclObject $Acl; # Set the updated ACL on the target item
}
Error: Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.
Some folders assign properly, however, not all. I suspect it breaks were there is no owner (possibly an account that's been removed from AD.)
Any ideas on how to approach this?
We will end up using this, even though it's not handling the long file paths correctly.
Import-Module -Name NTFSSecurity
#Remove Inheritance on user's root folder
Get-Item $UserRoot | Disable-NTFSAccessInheritance
#Add Domain Admin to user's root folder
Add-NTFSAccess -Path $UserRoot -Account 'BUILTIN\Administrators', 'yourDomain\Domain Admins' -AccessRights FullControl
#Set Inheritance on all sub-folders on user's directory
Get-ChildItem -Path $UserRoot -Recurse | Enable-NTFSAccessInheritance -PassThru
Check SetOwner() method for setting up owner for a folder
# Define the owner account/group
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators';
# Get a list of folders and files
$ItemList = Get-ChildItem -Path c:\test -Recurse;
# Iterate over files/folders
foreach ($Item in $ItemList) {
$Acl = $null; # Reset the $Acl variable to $null
$Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
$Acl.SetOwner($Account); # Update the in-memory ACL
Set-Acl -Path $Item.FullName -AclObject $Acl; # Set the updated ACL on the target item
}
Specify Inheritance in FileSystemAccessRule()
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
Check the SO1 and SO2 for further related information.
I am trying to create the user folder for each AD Users. For each folder, I want the folder only accessed by that AD users only.
The finally result I want:
FolderName: "UserAFolder"
Goal: only UserA in "UserAFolder"
But the result is
FolderName: "UserAFolder"
UserA, UserB, UserC ... are all in "UserAFolder"
$folderpath = "\\san\Shares\UserFolders\"
$ulist =import-csv -Path C:\aduserlist.csv
foreach($list in $ulist)
{
$users = $list.username
$newpath = $folderpath+$users
New-Item -ItemType Directory -Path $folderpath -Name $users
$rights = "Modify"
$inheritanceFlag = "ContainerInherit,ObjectInherit"
$propagationFlag = "None"
$type = "Allow"
$objACL = Get-Acl $newpath
$entries = $users, $rights,$inheritanceFlag,$propagationFlag,$type
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $entries
$objACL.SetAccessRule($rule)
$objACL | Set-Acl -Path $newpath
}
The original Code of ACL is work. Just Parent Folder inheritance issue.
The NTFS Security
$folderpath = "\\san\Shares\UserFolders\"
$ulist =import-csv -Path C:\aduserlist.csv
foreach($list in $ulist){
$users = $list.username
$newpath = $folderpath+$users
New-Item -ItemType Directory -Path $folderpath -Name $users
$users = $list.username
$ADUser = $list.email
$newpath = $folderpath+$users
Add-NTFSAccess $newpath -Account $ADUser -AccessRights Modify -PassThru
}
I created this script that will create a folder for each user that has a title of Customer Service Representative on a UNC path.There is a users group that is inherited from the parent. How can I remove that users group?
$names = (Get-ADUser -Filter 'Title -eq "Customer Service Representative"').name
foreach ($name in $names)
{
New-Item -ItemType "directory" -Path "\\unc\$name" -ErrorAction SilentlyContinue
$path = "\\unc\$name" #Replace with whatever file you want to do this to.
$user = "domain\group" #User account to grant permisions too.
$Rights = "Full" #"Read, ReadAndExecute, ListDirectory" #Comma seperated list.
$InheritSettings = "Containerinherit, ObjectInherit" #Controls how permissions are inherited by
children
$PropogationSettings = "None" #Usually set to none but can setup rules that only apply to children.
$RuleType = "Allow" #Allow or Deny.
$acl = Get-Acl $path
$perm = $user, $Rights, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
}
Not sure if you're comfortable with an add-on, but you may want to check out this NTFS PowerShell module:
I've been using it for years. It's quite capable, and very easy to use.
From an admin console of PowerShell
install-package ntfssecurity
Before your closing { add the line
Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path $path -AccessType Deny -AppliesTo ThisFolderSubfoldersAndFiles
At least, that's what I'm guessing would be appropriate? Haven't studied your code that deeply to know what you're doing exactly. I'd probably drop it in right after folder creation, but that doesn't appear to happen in here?
We have a server that houses the My Documents folder for all our users. Some of the folder owner changed to administrator. I am trying to devise a PowerShell script that goes to each user's root my documents folder and applies the user as the owner for all the sub folders and files with in it. Is this Possible?
I have the following from a previous script that attempted to set the user as full permissions per each my document root folder:
$FolderPath = "E:\mydocuredir\"
$MyDocsMain = Get-ChildItem -Path $FolderPath -Directory
Get-ChildItem -Path $FolderPath -Directory | ForEach-Object{
$HomeFolders = Get-ChildItem $FolderPath $_.Name -Directory
$Path = $HomeFolders.FullName
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Username = $_.Name
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'FullControl', 'ObjectInherit', 'InheritOnly', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}
Firstly ensure that the share and root folder permissions for redirected folders follow best practice.
I would use the NTFSSecurity PS Module (blog on its use). This module has commands that are much easier to understand as they follow they way your would set permissions via the GUI.
$FolderPath = "E:\mydocuredir"
Get-ChildItem -Path $FolderPath -Directory | ForEach-Object{
Add-NTFSAccess -Path $_.FullName -Account "domain\$($_.Name)" -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles
}
To set Owner, replace the Add-NTFSAccess command with:
Set-NTFSOwner -Path $_.FullName -Account "domain\$($_.Name)"
I want to export in a csv file the ACL of every subfolder starting from a root folder and then to import them of mirroring folders on another computer.
I'm using this code to export from C:\Users\user\Desktop\a :
Get-ChildItem "C:\Users\user\Desktop\a" -Recurse | ?{ $_.PsIsContainer } | %{
$Path = $_.FullName
# Exclude inherited rights from the report
(Get-Acl $Path).Access | ?{ !$_.IsInherited } | Select-Object `
#{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
InheritanceFlags, PropagationFlags, FileSystemRights
} | Export-CSV "C:\Users\user\Desktop\Permissions.csv"
and this code to import ACL:
$par = Import-Csv -Path "C:\Users\user\Desktop\Permissions.csv"
foreach ( $i in $par ) {
$path= $i.Path
$IdentityReference= $i.IdentityReference
$AccessControlType=$i.AccessControlType
$InheritanceFlags= $i.InheritanceFlags
$PropagationFlags=$i.PropagationFlags
$FileSystemRights=$i.FileSystemRights
echo $path $IdentityReference
$acl = Get-Acl C:\Users\user\Desktop
$permission = $i.IdentityReference,$i.FileSystemRights,$i.AccessControlType
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $path
}
Permissions.csv is something like this:
#TYPE Selected.System.Security.AccessControl.FileSystemAccessRule
"Path","IdentityReference","AccessControlType","InheritanceFlags","PropagationFlags","FileSystemRights"
"C:\Users\user\Desktop\a\b","DITOADMIN\pluto","Allow","None","None","ReadAndExecute, Synchronize"
"C:\Users\user\Desktop\a\b\c","DITOADMIN\pluto","Allow","ContainerInherit, ObjectInherit","None","ReadAndExecute, Synchronize"
"C:\Users\user\Desktop\a\b\c","DITOADMIN\admin","Allow","None","None","FullControl"
"C:\Users\user\Desktop\a\b\c","DITOADMIN\pippo","Allow","ContainerInherit, ObjectInherit","None","ReadAndExecute, Synchronize"
unfortunately, import action doesn't work since only last permission is imported (so only for pippo user and not for pluto).
anybody knows why?
I've fixed it.
the problem was the line, the path I use here was wrong (should be the path from the CSV import)
$acl = Get-Acl C:\Users\user\Desktop
$permission = $i.IdentityReference,$i.FileSystemRights,$i.AccessControlType
I've changed with
$acl = Get-Acl $path
$permission = $IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType
bye
It's almost perfect. Here you add the permission from the CSV to the folder, but you keep the old permission on it. You dont "reset/copy" the ACL from one folder to the other.
So instead of getting the ACL of the receiving folder:
$acl = Get-Acl $path
Ive create a new one:
$acl = New-Object System.Security.AccessControl.DirectorySecurity
But then, i lose the Owner attribute. So i need a way to export the owner in the CSV with the rights..