I am looking for a way, where i run a script using powersell, that goes through a folder structure and set certain NTFS permissions only to a folder with a name "Submissions", so if there is any folder called "Submissions" within the folder structure, it will set it to NTFS permissions that i specified..
Any info will help me to start this!
http://s22.postimg.org/r769bcr01/Capture.png
Lets say i have this many folders, and in each folder, the structure is the same:
http://s15.postimg.org/pqh8leph7/sasa.png
So i need to aim at 04_architecture for example, and apply certain NTFS permissions, using powershell.
Maybe this is a starting point:
# find all submissions directories
$submissions = Get-ChildItem -Path "YOUR START PATH e.g. c:\test" -Recurse -Filter "Submissions" -directory
foreach($submission in $submissions)
{
# get the current submission directory acl
$acl = Get-ACL $submission.FullName
# create a new acl. Example:
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
# add and set the new created acl to the directory
$acl.AddAccessRule($accessRule)
Set-Acl $submission.FullName $acl
}
Related
We have a large file share that houses about 1tb of data.
The following location has about 600 folders beneath it.
F:\Data
The task is to assign a specific AD group read permissions to every folder inside of the data folder, the subfolders do not matter.
I am trying to see if the script below would be the best approach?
my concern is this is a file server and I don't want to break anything
or mess up any rights, also not to sure if while the script is running and their
is a file open would it cause am error.
I have tried running this script in a test environment and it worked great , but there is no error log where even if it stopped somewhere i would be able to check.
I could be overthinking it, but just wanted to see if anyone has experienced anything like this?
$StartingPath = "PATH"
$Right = "Read"
$Principal = "Domain\ADGroup"
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow")
foreach ($Folder in $(Get-ChildItem -Directory $StartingPath -Recurse)) {
$Acl=Get-Acl $Folder.FullName
$Acl.SetAccessRule($Rule)
Set-Acl $folder.Fullname $Acl
}
You need to experiment with Inheritance and Propagation (use your test environment for that) and use the overloaded method with 5 parameters to create your new accessrule for that.
That way, you only add the new rule to the main data share folder and do not have to iterate all subfolders.
# FileSystemRights: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights
# Inheritance flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags
# Propagation flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags
$Principal = "TheADGroupWithReadPermissions"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal, "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl "F:\Data"
$acl.SetAccessRule($accessRule)
Set-Acl -Path "F:\Data" -ACLObject $acl
Difference between AddAccessRule() and SetAccessRule():
AddAccessRule
SetAccessRule
This method will add this access rule to the ACL. If a user or group has Modify permission and we use AddAccessRule() to create a new rule with Read permission the user or group will still also have Modify permissions.
This method removes any existing access and replaces that access with the specified rule. If a user or group has Modify permission and a new rule is created using SetAccessRule() specifying Read permission, that user or group will now only have Read permission.
So I've got the next path: C:\folder1\folder2\fileName. Looking in the security tab on the C:\folder1 there is Alice username with full permissions. But going to the C:\folder1\folder2\fileName Alice isn't there yet. How can I insert with powershell v2 Alice member recursively in C:\folder1 so that all the files under root C:\folder1 will also have the same Alice username set with full permissions.
I've tried:
$acl = Get-Acl C:\folder1
$permission = "domain\Alice","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl C:\folder1
But it doesn't seem to apply for the C:\folder1\folder1\fileName. Guess I'm trying to apply permissions for Alice, which doesn't exist yet in the last fileName item.
As you can see in the FileSystemAccessRule documentation, the class has a property for inheritance.
You have to add the property to your $permission
$permission = "domain\Alice",
"FullControl",
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit",
[system.security.accesscontrol.PropagationFlags]"None",
"Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
You could also recursively add the permissions by getting all child items with the Get-ChildItems cmdlet and piping them to the Set-Acl cmdlet like they have done in an examle in the documentation on microsoft site here: Set-Acl. Look at "Example 3: Apply a security descriptor to multiple files" or read below (copied from the page):
PS C:\> $NewAcl = Get-Acl File0.txt
PS C:\> Get-ChildItem -Path "C:\temp" -Recurse -Include "*.txt" -Force | Set-Acl - AclObject $NewAcl
These commands apply the security descriptors in the File0.txt file to all text files in the C:\Temp directory and all of its subdirectories.
The first command gets the security descriptor of the File0.txt file in the current directory and uses the assignment operator (=) to store it in the $NewACL variable.
The first command in the pipeline uses the Get-ChildItem cmdlet to get all of the text files in the C:\Temp directory. The Recurse parameter extends the command to all subdirectories of C:\temp. The Include parameter limits the files retrieved to those with the ".txt" file name extension. The Force parameter gets hidden files, which would otherwise be excluded. (You cannot use "c:\temp*.txt", because the -Recurse parameter works on directories, not on files.)
The pipeline operator (|) sends the objects representing the retrieved files to the Set-Acl cmdlet, which applies the security descriptor in the AclObject parameter to all of the files in the pipeline.
In practice, it is best to use the Whatif parameter with all Set-Acl commands that can affect more than one item. In this case, the second command in the pipeline would be "Set-Acl -AclObject $NewAcl -WhatIf". This command lists the files that would be affected by the command. After reviewing the result, you can run the command again without the Whatif parameter.
This is an example using ".txt" files but can be modified to apply to directories as well.
I'm applying "Read" permissions to a folder for a certain user. I want them to be able to read notepad files inside.
$Acl = Get-Acl "C:\Test"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Test" $Acl
My code properly applies the read permissions to the folder (I can manually check the "Security tab to see this), but does not grant access to the files inside. Access is denied when "MyUser" tries to open a notepad file.
You need to use another constructor so you can set InheritanceFlags for containers and leaf objects. Try:
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","ContainerInherit,ObjectInherit", "None", "Allow")
I used to create and map the home directory for new AD users in Active Directory Users and Computers GUI with following syntax:
\FileServer\users\%username%
This trick automatically creates home directory for user in FileServer and automatically grant full control to user on the directory. I was wondering what could be the PowerShell way of doing the same.
I think first of all you should get the User.
$user = get-ADUser -Filter { Name -like "Mike" }
Then create a Folder New-Item, something like:
$sac = $user.SamAccountName
$folder = New-Item \\Server\Filesystem\$sac -Type Directory
And then you have to set the permissions via Set-ACL
create new acl object
$AclOb = New-Object
System.Security.AccessControl.FileSystemAccessRule("domain\$sac", 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
The security identifier (domain$sac);The right (FullControl);
Inheritance settings (ContainerInherit,ObjectInherit) which means to force all folders and files underneath the folder to inherit the permission we’re setting here;
Propagation settings (None) which is to not interfere with the inheritance settings;
Type (Allow).
and set-acl
Set-Acl -Path $folder.FullName -AclObject $AclOb
Greetz Eldo.Ob
I have a Sharepoint Library, which I have mapped out to my Z:\ drive.
I have a script, that drops user specific files, in folders that I create with the following chunk of Powershell:
#If the output path doesn't exist, make it quietly.
If(!(Test-Path "z:\$strOwnerName")){$null = New-Item "Z:\$strOwnerName" -ItemType directory}
How can I (if at all possible) modify this line to remove/restrict permissions for everyone in Sharepoint, aside from the user for which the folder is being created? The folder name, will always be the users AD name.
I'd start with a folder that has just very basic permissions, so you have something to copy. Then add the permission for the new folder's owner onto the ACL object. Lastly create the folder and apply the modified ACL to it. I Selected Read, Write, Modify, and DeleteSubdirectoryAndFiles but you can pick and choose your security settings for the user from this list.
$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write, Modify, DeleteSubdirectoriesAndFiles"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("DigitalGhost\$strOwnerName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "Z:\ACLSource"
$objACL.AddAccessRule($objACE)
#If the output path doesn't exist, make it quietly.
If(!(Test-Path "z:\$strOwnerName")){$null = New-Item "Z:\$strOwnerName" -ItemType directory}
Set-ACL "Z:\$strOwnerName" $objACL
And of coarse, credit where credit is due... I picked most of that up directly a while ago off of this TechNet Windows PowerShell Tip of the Week.