I'm applying "Read" permissions to a folder for a certain user. I want them to be able to read notepad files inside.
$Acl = Get-Acl "C:\Test"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Test" $Acl
My code properly applies the read permissions to the folder (I can manually check the "Security tab to see this), but does not grant access to the files inside. Access is denied when "MyUser" tries to open a notepad file.
You need to use another constructor so you can set InheritanceFlags for containers and leaf objects. Try:
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","ContainerInherit,ObjectInherit", "None", "Allow")
Related
We have a large file share that houses about 1tb of data.
The following location has about 600 folders beneath it.
F:\Data
The task is to assign a specific AD group read permissions to every folder inside of the data folder, the subfolders do not matter.
I am trying to see if the script below would be the best approach?
my concern is this is a file server and I don't want to break anything
or mess up any rights, also not to sure if while the script is running and their
is a file open would it cause am error.
I have tried running this script in a test environment and it worked great , but there is no error log where even if it stopped somewhere i would be able to check.
I could be overthinking it, but just wanted to see if anyone has experienced anything like this?
$StartingPath = "PATH"
$Right = "Read"
$Principal = "Domain\ADGroup"
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow")
foreach ($Folder in $(Get-ChildItem -Directory $StartingPath -Recurse)) {
$Acl=Get-Acl $Folder.FullName
$Acl.SetAccessRule($Rule)
Set-Acl $folder.Fullname $Acl
}
You need to experiment with Inheritance and Propagation (use your test environment for that) and use the overloaded method with 5 parameters to create your new accessrule for that.
That way, you only add the new rule to the main data share folder and do not have to iterate all subfolders.
# FileSystemRights: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights
# Inheritance flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags
# Propagation flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags
$Principal = "TheADGroupWithReadPermissions"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal, "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl "F:\Data"
$acl.SetAccessRule($accessRule)
Set-Acl -Path "F:\Data" -ACLObject $acl
Difference between AddAccessRule() and SetAccessRule():
AddAccessRule
SetAccessRule
This method will add this access rule to the ACL. If a user or group has Modify permission and we use AddAccessRule() to create a new rule with Read permission the user or group will still also have Modify permissions.
This method removes any existing access and replaces that access with the specified rule. If a user or group has Modify permission and a new rule is created using SetAccessRule() specifying Read permission, that user or group will now only have Read permission.
I try to implement a script which changes folder structure permission depending on some conditions. So far I set permissions with
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$($group.Name)", #("$($group.Value.rights)"), "ContainerInherit, ObjectInherit", "None", "$($group.Value.type)")
$aclFolder.AddAccessRule($accessRule)
Set-Acl $folder $aclFolder
So far it works. But the script currently assumes, that a permission does exist. It it does not, the AddAccessRule command throws and error.
Is there any way recognize a permission exists?
Use Get-Acl $folder to read the current ACL and to verify if there are any permissions applied already.
New-Item -Type Directory -Path "C:\MyFolder"
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl -Path "C:\MyFolder" -AclObject $Acl
Hi, when I got the above code and applied it using my own settings - the user account entries are added for the folder but, no Permissions are applied (none ticked)
Can anyone help with why this might be?
Thanks
Your comment describes the following behaviour:
Your PowerShell script succeeds but if you check the permissions with the explorers properties dialog, you will see the following:
This is pretty confusing as a PowerShell query will confirm:
PS> Get-Acl .|fl
Path : Microsoft.PowerShell.Core\FileSystem::D:\temp\myfolder
Owner : clijsters\clijsters
Group : clijsters\Kein
Access : clijsters\NEWUSER Allow FullControl
VORDEFINIERT\Administratoren Allow FullControl
VORDEFINIERT\Administratoren Allow 268435456
NT-AUTORITÄT\SYSTEM Allow FullControl
[...]
Your ACL changed. If you scroll down the list of your checkboxes you will notice, that "Special permissions" is checked and if you click on "Advanced" you will notice, your permissions are set.
EDIT:
As mentioned by #AnsgarWiechers, I missed a part describing why the permissions added with New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow") are listed as Special permissions.
Like described on MSDN, FileSystemAccessRule has 4 constructors, where some accept InheritanceFlags and PropagationFlags (e.g. this one fits your needs). If you use them and define inheritance behaviour, the permissions will show up as normal ones.
Today I was trying to compile ILSpy and encountered AL1078: Error signing assembly which is a permissions issue. An amalgamation of answers is shown.
This powershell script assigns $CurUsr to the token for the currently logged in user and $CurTgt as the folder whose permissions are being altered. Change them as required.
Add permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt
Remove permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt
References:
Manage ACLs
Inheritance
Current User
I have this script which sets folder permissions:
Get-Acl $IGXYSimFiles
$acl = Get-Acl $IGXYSimFiles
$acl.SetAccessRuleProtection($false,$true)
$rule = New-Object
System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object
System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Igloo-IGXY-Power-Users","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $IGXYSimFiles $acl
I need to add special permissions for the DL-GPA-UKI-Users group so that they can create subfolders in the $IGXYSimFiles folder but not files. They need to be able to create files in the subfolders which they've been allowed to create, but not any further subfolders.
I have achieved this by setting special permissions "Create Folder / Append Data" for "This Folder Only" and "Create Files / Write Data" for "Subfolders and Files Only". This is working great, but now comes the time where I need to edit my script to do this.
So I thought I would get-acl on the folder where I have manually set these permissions, this isn't returning the desired result:
AccessToString :
RISK\DL-GPA-UKI-Igloo-IGXY-Power-Users Allow Modify,Synchronize
RISK\DL-GPA-UKI-Users Allow AppendData, Synchronize
RISK\DL-GPA-UKI-Users Allow CreateFiles, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
RISK\Domain Admins Allow FullControl
RISK\DL-GPA-UKI-Readonly Allow ReadAndExecute, Synchronize
RISK\svcGIECSSPrd_EA Allow FullControl
RISK\DL-GPA-UKI-Users Allow ReadAndExecute, Synchronize
RISK\DL-GPA-AIMSSOPS Allow FullControl
As you can see its not displaying the "This Folder Only" or "Subfolders and files only" setting...
Is this possible with PowerShell?
Many thanks in advance
Chris
Absolutely. The default output for Get-Acl doesn't include the inheritance information, but it's there. Try this to get a friendlier output:
Get-ACL $IGXYSimFiles | % { $_.Access }
As for setting the ACL as desired, your script should do it, though you have one error in your rule. For "Create Files / Write Data" to be applied to "Subfolders and Files Only", you'll want to set the PropagationFlags to InheritOnly rather than None.
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","CreateFiles", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")
And this will set "Create Folder / Append Data" on this folder only:
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","AppendData", "None", "None", "Allow")
We have an in-house application that creates a folder, with 8 sub-folders, whenever a new project is started (keeping the same file structure in every folder). Our fileserver sets the security to the top level folder, breaking any specific sub-folder rights.
I'm looking at using aThis System.IO.FileSystemWatcher to automate the PowerShell, once the folders have been created.
The PowerShell I'm looking at using is:
New-Item F:\Engineering Projects\TPS\Documents\ –Type Directory
Get-Acl F:\Engineering Projects\TPS\Documents\ | Format-List
$acl = Get-Acl F:\Engineering Projects\TPS\Documents\
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl F:\Folder $acl
Get-Acl F:\Folder | Format-List
I'm not very experienced with PowerShell, Exchange things being the main area where I've experienced it. Obviously that script is more of a generic starting point for me; my question is, would I run this script multiple times (for each folder requiring specific permissions), or can I incorporate multiple folder permissions within one script?