Set folder permissions for HomeGroup - powershell

I found the following which seems to work for what it is, but I need 2 things changed, and can't figure it out.
$acl = Get-Acl D:\New
$permission = "Everyone","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl D:\New
I need to be able to give "HomeGroup" permission, not "Everyone".
I need this to recurse all folders.


When in doubt, read the documentation. You need to change the identity from "Everyone" to "$env:COMPUTERNAME\HomeGroup" and set the appropriate inheritance and propagation flags.
$identity = "$env:COMPUTERNAME\HomeGroup"
$accessRight = 'Read'
$inheritance = 'ContainerInherit, ObjectInherit'
$propagation = 'None'
$type = 'Allow'
$accessRule = New-Object Security.AccessControl.FileSystemAccessRule (
$identity, $accessRight, $inheritance, $propagation, $type
)

Related

Setting file permissions on a large amount of files using PowerShell

I have two files, one with a list of the security groups and one with the corresponding folder path. All I need to do is loop through these files and apply the correct security group recursive RW access to the correct folder.
So security group on line 1 would apply to the folder on line 1.
Powershell script:
foreach ($group in gc c:\temp\securitygroups.txt) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($group, 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
foreach ($folder in gc c:\temp\folders.txt) {
$acl = Get-Acl $folder
$acl.SetAccessRule($rule)
Set-Acl $folder $acl
}
}
securitygroups.txt:
securitygroup1
securitygroup2
securitygroup3
securitygroup4
securitygroup5
securitygroup6
securitygroup7
securitygroup8
securitygroup9
securitygroup10
folders.txt:
D:\shares\projects\project1
D:\shares\projects\project2
D:\shares\projects\project3
D:\shares\projects\project4
D:\shares\projects\project5
D:\shares\projects\project6
D:\shares\projects\project7
D:\shares\projects\project8
D:\shares\projects\project9
D:\shares\projects\project10
At the moment every security group in securitygroups.txt is being added to each folder in the list, this is not what I want, I want securitygroup1 adding to project1, securitygroup2 adding to project2 etc.

Read both files into variables, then use a for loop to iterate over both arrays at the same time:
$groups = Get-Content 'c:\temp\securitygroups.txt'
$folders = Get-Content 'c:\temp\folders.txt'
for ($i=0; $i -lt $folders.Count; $i++) {
$rule = New-Object Security.AccessControl.FileSystemAccessRule ($groups[$i], 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl = Get-Acl $folders[$i]
$acl.SetAccessRule($rule)
Set-Acl $folders[$i] $acl
}

Powershell - How to Give Full Access a List of Local User for Folders

I have a CSV file that containts a Folder Name (first 6 characters) and a User Name (rest of characters).
I have to give Full Control Access to each User in His Folder. So I wrote the:
$Doc = import-csv "C:\Temp\ListOfUsers.csv"
foreach ($x in $Doc)
{
$x = ""+ $x
$CPayID = $x.SubString(10,6)
$UserName = $x.SubString(17, $x.Length-18)
$UserPath = "C:\XPAY_FTP_CUST\"+$CPayID
$Acl = Get-Acl $UserPath
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Username","FullControl","ContainerInherit, ObjectInherit","None","Allow")
$Acl.SetAccessRule($Rule)
Set-Acl $UserPath $Acl
}
But I received the following Error for Each User:
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
The Users exist and are locals, I am local administrator, and when I ask for echo the $Username, the $UserPath, and the $Acl I receive correct data.
Please, I need any help.

You might have to specify the username as DOMAIN\user. In case of local users, DOMAIN will be the computer name:
$UserReference = New-Object System.Security.Principal.NTAccount $env:ComputerName,$Username
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserReference,"FullControl","ContainerInherit, ObjectInherit","None","Allow")

Mathias is much, much smarter than I am at this, but I noticed this in your code:
($UserReference,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
Should "ContainerInherit, ObjectInherit" instead be "ContainerInherit", "ObjectInherit"?

Trouble with assigning folder permissions with powershell

I would like this powershell script to create a new directory, and add/assign permissions with a group.
The group is adding, but the permissions are not showing under Properties on the Security tab. If going to Advances security the permissions do show there.
Also, the parent folder permissions are not being removed from the new child folder as desired.
$groups = "DOMAIN\GROUP"
$Perm = "MODIFY"
$Permission = [System.Security.AccessControl.FileSystemRights] $Perm
$AllInherit = [System.Security.AccessControl.InheritanceFlags] "None"
$AllPropagation = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$path = "c:\temp\test"
new-item -path $path -itemtype directory -force
$group = $groups
$GetACL = Get-Acl $Path
$Access = New-Object System.Security.Principal.NTAccount ($group)
$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $perm, $AllInherit, $Allpropagation, "Allow")
$GetACL.SetAccessRule($AccessRule)
SET-ACL -PATH $path $getacl

Here's a function I wrote for a similar purpose:
function Add-AclEntry {
# Adds a new entry to the specified file system object ACL. For
# folders the new permissions are applied recursively.
# Returns: null.
param(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[String]$sPath,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
# Access group (full notation).
[String]$sGroup,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
# List of access rights, comma separated.
[String]$sRights,
[Parameter(Mandatory=$false)]
[ValidateSet("Allow", "Deny")]
[String]$sType = "Allow"
)
$cRights = [System.Security.AccessControl.FileSystemRights]$sRights
$oType = [System.Security.AccessControl.AccessControlType]::$sType
$oGroup = New-Object -TypeName System.Security.Principal.NTAccount($sGroup)
# Inheritance flags: full inheritance.
if ((Get-Item $sPath).PSIsContainer) {
$oInheritanceFlags = (`
[System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
} else {
$oInheritanceFlags = `
[System.Security.AccessControl.InheritanceFlags]::None
}
$oPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None
# Creating access control entry and adding it to the ACL.
$oAce = New-Object `
-TypeName System.Security.AccessControl.FileSystemAccessRule `
($oGroup, $cRights, $oInheritanceFlags, $oPropagationFlags, $oType)
$oAcl = Get-Acl -Path $sPath
$oAcl.AddAccessRule($oAce)
Set-Acl -Path $sPath -AclObject $oAcl
return $null
}
Example usage (adding Modify permissions for Authenticated Users group):
$sGroup = "NT AUTHORITY\Authenticated Users"
$sRights = "Delete, Read, Traverse, Write"
Add-AclEntry -sPath $sFolder -sGroup $sGroup -sRights $sRights
Hope that helps.

PowerShell Setting advanced NTFS permissions

I'm trying to apply NTFS permissions that are defined in the 'Advanced' tab of the Windows security settings. One ACL $Rule is for This folder only and another one is for the Subfolders and files only.
The permissions are heavily modified as you can see below:
(Get-Acl 'L:\Test\Beez\RAPJOUR\Appels List\Correct').Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : CreateFiles, AppendData, DeleteSubdirectoriesAndFiles, ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : DeleteSubdirectoriesAndFiles, Modify, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
Everything is on except for : Full control, Write attributes, Write extended attributes, Delete, Change permissions and Take ownership.
Everything is on except for : Full control, Change permissions and Take ownership.
This is a piece of the code I use to apply permissions. In this case it has to be defined in the part Change:
$f = 'L:\Test\Beez\RAPJOUR\Appels List\Wrong'
$ADobject = 'Domain\User'
$acl = Get-Acl $f
$Grant = 'Change'
# Remove user/group first
$rule = New-Object system.security.AccessControl.FileSystemAccessRule("$ADobject","Read",,,"Allow")
$acl.RemoveAccessRuleAll($rule)
# Add read permissions
if ($Grant -eq 'ReadAndExecute') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'Change') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "Synchronize", "Allow DeleteSubdirectoriesAndFiles")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "AppendData", "ContainerInherit, ObjectInherit", "ReadAndExecute","Synchronize", "Allow CreateFiles","DeleteSubdirectoriesAndFiles")
}
if ($Grant -eq 'Modify') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'FullControl') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'ListFolderContents') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit", "None", "Allow")
}
$acl.AddAccessRule($rule)
Set-Acl $f $acl
I can't seem to get the syntax right.. Thank you for your help.
Thanks to this post I've already found the part for:
'Subfolders and files only': "ContainerInherit, ObjectInherit", "InheritOnly"
'This folder only': "None", "InheritOnly"

Object access permissions in Windows are controlled via Access Control Lists (ACL), which basically consist of a list of Access Control Entries (ACE). Each ACE is a set of attributes that controls whether access is granted or denied, who the ACE applies to, if the ACE was inherited from a parent object, and whether it should be inherited by child objects.
If you take a look at the documentation of the FileSystemAccessRule class, you'll see that the "full" constructor takes 5 parameters:
IdentityReference/String: An object or string that identifies the trustee (user, group, computer, ...) to whom the ACE applies.
FileSystemRights: The actual permissions to be granted or denied.
InheritanceFlags: Flags to control which object types inherit permissions from this object (containers, leaf objects, or none).
PropagationFlags: Flags to control propagation of permissions. The flag InheritOnly exempts the current object from receiving the ACE. The flag NoPropagateInherit restricts inheritance to immediate child objects.
AccessControlType: The type of the ACE (allow or deny).
Now, if you want to assign multiple access rights to a given trustee, you can either do that with individual ACEs:
$acl = Get-Acl $path
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'ListDirectory', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Allow'
$acl.AddAccessRule($ace1)
$ace2 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'ReadAttributes', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Allow'
$acl.AddAccessRule($ace2)
...
Or by providing the permissions as a comma-separated string:
$acl = Get-Acl $path
$ace = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'ListDirectory, ReadAttributes, ...', 'ContainerInherit, ObjectInherit',
'InheritOnly', 'Allow'
$acl.AddAccessRule($ace)
Note, however, that you cannot grant and deny permissions with the same ACE. If you want to deny specific access rights you need to do it with a separate ACE:
$acl = Get-Acl $path
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'Modify', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Allow'
$acl.AddAccessRule($ace1)
$ace2 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'CreateDirectories', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Deny'
$acl.AddAccessRule($ace2)
...
Note also, that explicit permissions take precedence over inherited permissions, and Deny takes precedence over Allow.

You know how it goes when you're fighting world problems. The moment you post the question, you find the answer 5 minutes later...
Thanks to the answer of Frode F. on another question, I found the solution to my own problem. I had to copy the output of the line FileSystemRights in $Correct.Access and paste it in an Array as you can see below:
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", #("CreateFiles", "AppendData", "DeleteSubdirectoriesAndFiles"," ReadAndExecute", "Synchronize"), "None", "InheritOnly", "Allow") # This folder only
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", #("DeleteSubdirectoriesAndFiles", "Modify", "Synchronize"), "ContainerInherit, ObjectInherit", "InheritOnly", "Allow") # Subfolders and files only

Added permission not inherited to sub folders/files

Im trying to add modify right to bob user from domain, but it is giving only permission and no rights at all and even not inheriting to subfolder to path D:\test, from the script as below:
$Right = [System.Security.AccessControl.FileSystemRights]"Modify"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("domain\bob")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "D:\Test"
$objACL.AddAccessRule($objACE)
Set-ACL "D:\Test" -aclobject $objACL
Where is my mistake ?

Not sure what you mean by "only permission and no rights at all", but the following line is what prevents your ACL from being inherited:
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
Change that line to
$InheritanceFlag = ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
and the ACL should be inherited by the child objects.