I have a Sharepoint Library, which I have mapped out to my Z:\ drive.
I have a script, that drops user specific files, in folders that I create with the following chunk of Powershell:
#If the output path doesn't exist, make it quietly.
If(!(Test-Path "z:\$strOwnerName")){$null = New-Item "Z:\$strOwnerName" -ItemType directory}
How can I (if at all possible) modify this line to remove/restrict permissions for everyone in Sharepoint, aside from the user for which the folder is being created? The folder name, will always be the users AD name.
I'd start with a folder that has just very basic permissions, so you have something to copy. Then add the permission for the new folder's owner onto the ACL object. Lastly create the folder and apply the modified ACL to it. I Selected Read, Write, Modify, and DeleteSubdirectoryAndFiles but you can pick and choose your security settings for the user from this list.
$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write, Modify, DeleteSubdirectoriesAndFiles"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("DigitalGhost\$strOwnerName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "Z:\ACLSource"
$objACL.AddAccessRule($objACE)
#If the output path doesn't exist, make it quietly.
If(!(Test-Path "z:\$strOwnerName")){$null = New-Item "Z:\$strOwnerName" -ItemType directory}
Set-ACL "Z:\$strOwnerName" $objACL
And of coarse, credit where credit is due... I picked most of that up directly a while ago off of this TechNet Windows PowerShell Tip of the Week.
Related
I have PowerShell a script to create a new user's home drive and I am using below command:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath
It's creating the home drive for the user but the user isn't able to access it.
One more thing, I can copying the created home drive manually from AD console and again pasting it and clicking on apply then it works fine.
Set-ADUser will only modify the user object in ActiveDirectory; security permissions on the folder itself is an additional step.
FileSystemRights Enumeration: MSDN
It is not sufficient to simply use Set-ADUser, expecting full end to end creation of a fully functioning home directory; we must set permissions on the folder in question, including any inheritance flags.
There's a few steps to accomplish this, but simply stated:
We need to get the current access control list (ACL)
We need to add our desired permissions to said ACL
We need to write the new ACL, combining both the pre-existing and new permissions.
As you may have guessed:
Get-ACL
Set-ACL
We can so something like this:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath -ea Stop
$homeShare = New-Item -path $fullPath -ItemType Directory -force -ea Stop
$acl = Get-Acl $homeShare
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]"InheritOnly"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
$acl.AddAccessRule($AccessRule)
Set-Acl -Path $homeShare -AclObject $acl -ea Stop
If you're feeling creative, you can also combine some of the flags into an array:
$InheritanceFlag = #('ContainerInherit','ObjectInherit')
Please note this code is NOT tested and to validate before executing in any environment.
I'm applying "Read" permissions to a folder for a certain user. I want them to be able to read notepad files inside.
$Acl = Get-Acl "C:\Test"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Test" $Acl
My code properly applies the read permissions to the folder (I can manually check the "Security tab to see this), but does not grant access to the files inside. Access is denied when "MyUser" tries to open a notepad file.
You need to use another constructor so you can set InheritanceFlags for containers and leaf objects. Try:
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","ContainerInherit,ObjectInherit", "None", "Allow")
Can I take over ownership and then set-acl to a folder? I have a folders.txt file where I have the location of the folder.
For Example:
D:\Dept\CC\NorthRiver\16-17\StaffAdministration
Then I am creating a new year of the previous year folder structure and copying the rights and permissions of the previous years folders to the new folder years matching folder. I ran into an issue though because of ownership of the folder. If I am not the owner I can not duplicate the permissions of certain folders and I receive Set-ACL : The security identifier is not allowed to be the owner of this object. Is there any way around this?
I tried adding the line (to change the owner to me but that did not work either):
get-item $currentFolder.Replace("16-17", "15-16") | set-owner -Account 'VDB-TST1\Administrators'
Does anyone have any ideas of how I may accomplish this?
This is the full script I have:
Function Get-FileName{
[CmdletBinding()]
Param(
[String]$Filter = "|*.*",
[String]$InitialDirectory = "C:\")
[void][System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms")
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.initialDirectory = $InitialDirectory
$OpenFileDialog.filter = $Filter
[void]$OpenFileDialog.ShowDialog()
$OpenFileDialog.filename
}
#Get and Set the ACL to the new years folder structure
foreach ($currentFolder in (GC (Get-FileName -InitialDirectory $env:USERPROFILE\Desktop -Filter "Text files (*.txt)|*.txt|All files (*.*)|*.*"))) {
md $currentFolder # Create Folder
get-item $currentFolder.Replace("16-17", "15-16") | set-owner -Account 'VDB-TST1\Administrators'
Get-ACL $currentFolder.Replace("16-17", "15-16") | Set-ACL $currentFolder
}
I think you are running into the same limitations of Set-ACL and Get-ACL described in this post. try changing
Get-ACL $currentFolder.Replace("16-17", "15-16") | Set-ACL $currentFolder
to
(Get-Item $currentFolder.Replace("16-17", "15-16")).GetAccessControl('Access') | Set-ACL $currentFolder
As an alternative you can use robocopy to copy the ntfs permissions from one directory and then apply them to another.
robocopy $currentFolder.Replace("16-17", "15-16") $currentfolder /copy:S /SECFIX
Hope this helps.
The Set-ACL cmdlet native to powershell is pretty terrible. I would suggest using the NTFS module that is available. I have tried playing with Set-ACL several times and it always wastes more of my time rather than actually being useful.
The problem I need to solve is I need to make a folder on a network share for a newly created user. This is done by System Center Orchestrator, after the user is created I need to copy a dummy folder with certain rights, add the newly created user in the ACL's and delete the workflow account from those ACL's. (the user that creates the folder gets added automaticly.)
The folder gets created succesfully and gets the same permissions as the dummy folder, now I need to add 1 ACL rule to those permissions.
Here is some sample code I'm using:
$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("domain\createdUser1")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule (
$objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType
)
$originalACL = Get-ACL "\\shares\createdUser1"
#$orignalACL.SetAccessRuleProtection($True,$False)#doesn't help either
$originalACL.AddAccessRule($objACE)
Set-ACL "\\shares\createdUser1" $objACL
The only problem I'm having is that it doesn't add the ACL rule but it overwrites all rules that this folder currently has. How can I add 1 rule to to an existing ACL without overwriting the original rules?
source sample code: https://technet.microsoft.com/en-us/library/ff730951.aspx
EDIT1:
Using the module provided on https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/ does the same thing. Am I doing something wrong?
$colRights = "Read, Write"
$objUser = New-Object System.Security.Principal.NTAccount("domain\createdUser1")
Add-NTFSAccess -Path $folderPath -Account $objUser -AccessRights $colRights
There's nothing in your code that would remove ACLs except for the (now commented) line
#$orignalACL.SetAccessRuleProtection($True,$False)
That line will remove inherited ACLs, so of course it won't help.
From the documentation:
Syntax
public void SetAccessRuleProtection(
bool isProtected,
bool preserveInheritance
)
Parameters
isProtected
true to protect the access rules associated with this ObjectSecurity object from inheritance; false to allow inheritance.
preserveInheritance
true to preserve inherited access rules; false to remove inherited access rules. This parameter is ignored if isProtected is false.
I suspect you ran that line once before, thus removing inherited ACLs. To correct that mistake you need to re-enable inheritance first, either manually or by calling SetAccessRuleProtection() with the first parameter set to $false:
$orignalACL.SetAccessRuleProtection($false, $true)
This piece of code worked for me:
$colRights = "Read, Write"
$objUser = New-Object System.Security.Principal.NTAccount("domain\createdUser1")
add-NTFSAccess -Path $folderPath -Account $objUser -AccessRights $colRights
We ran it from an other user account and suddenly the code worked. This was found by testing the script on local folders. Here it didn't delete any other ACL's. This will probably be something with share permissions or security permissions. (locally I'm full admin but on the shares I'm not.)
The problem is here:
Set-ACL "\\shares\createdUser1" $objACL
Change to this:
Set-ACL "\\shares\createdUser1" $originalACL
You had modified the $originalACL when you ran $originalACL.AddAccessRule($objACE)
I am looking for a way, where i run a script using powersell, that goes through a folder structure and set certain NTFS permissions only to a folder with a name "Submissions", so if there is any folder called "Submissions" within the folder structure, it will set it to NTFS permissions that i specified..
Any info will help me to start this!
http://s22.postimg.org/r769bcr01/Capture.png
Lets say i have this many folders, and in each folder, the structure is the same:
http://s15.postimg.org/pqh8leph7/sasa.png
So i need to aim at 04_architecture for example, and apply certain NTFS permissions, using powershell.
Maybe this is a starting point:
# find all submissions directories
$submissions = Get-ChildItem -Path "YOUR START PATH e.g. c:\test" -Recurse -Filter "Submissions" -directory
foreach($submission in $submissions)
{
# get the current submission directory acl
$acl = Get-ACL $submission.FullName
# create a new acl. Example:
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
# add and set the new created acl to the directory
$acl.AddAccessRule($accessRule)
Set-Acl $submission.FullName $acl
}