We have an in-house application that creates a folder, with 8 sub-folders, whenever a new project is started (keeping the same file structure in every folder). Our fileserver sets the security to the top level folder, breaking any specific sub-folder rights.
I'm looking at using aThis System.IO.FileSystemWatcher to automate the PowerShell, once the folders have been created.
The PowerShell I'm looking at using is:
New-Item F:\Engineering Projects\TPS\Documents\ –Type Directory
Get-Acl F:\Engineering Projects\TPS\Documents\ | Format-List
$acl = Get-Acl F:\Engineering Projects\TPS\Documents\
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl F:\Folder $acl
Get-Acl F:\Folder | Format-List
I'm not very experienced with PowerShell, Exchange things being the main area where I've experienced it. Obviously that script is more of a generic starting point for me; my question is, would I run this script multiple times (for each folder requiring specific permissions), or can I incorporate multiple folder permissions within one script?
Related
Trying to add Full Control to a few users to a folder in Powershell have the following, runs with no errors but only adds the last "rule" to the folder. What am I doing wrong?
$acl = Get-Acl E:\MyFolder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\john.smith","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Folder-Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item E:\MyFolder).SetAccessControl($acl)
I tried running the exact same code as you like so :
$acl = Get-Acl C:\temp
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("some_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("other_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item C:\Temp).SetAccessControl($acl)
And it added both to my folder so it doesn't seem to be an issue with the code itself, have you checked if maybe the domain and names were correct and that you are authorized to assign such permissions to that user/group?
For references i'm using Powershell version : 5.1.17763.771, and I ran those lines with local accounts and not domain accounts as I don't have access to a domain right now.
You might try the NTFS PowerShell module, it makes things much easier and is quite capable.
A command to add full access would look something like:
Add-NTFSAccess -Path <path> -Account <Account> -AccessRights FullControl -AccessType Allow
I am trying to the Domain Admins group to all the file shares on our server with Full Control NTFS permissions, but it seems to lock up and cant proceed at the "$Acl.SetAccessRule($Ar)" line.
This is the code that I have so far:
$shares = Get-SmbShare
foreach($share in $shares) {
$Acl = get-acl $share.Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $share.Path $Acl
}
Does anyone have any ideas why this isnt working? I was able to add Domain Admins to File Share Permissions but cant seem to do the same with NTFS permissions following the same algorithm.
Thanks!
I use PDQ Deploy for deployments and part of an install requires a share and permissions to be set for the engineering team. I made a script successfully however it overwrites what is currently there. I like to the the group. I can't seem to find any real way of doing this.
$acl = get-acl "c:\program files (x86)\Test\"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("manftest", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.setaccessrule($ar)
set-acl "c:\program files (x86)\Test\" $acl
New-SmbShare -Name "Test" -Path "C:\Program Files (x86)\Test" -FullAccess "DOMAIN\manftest"
Have you tried AddAccessRule instead of SetAccessRule ?
https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemsecurity.addaccessrule?view=netframework-4.7.2
if I was you I will try to use icalc.exe
icacls.exe $path /grant "<domain\account>:(OI)(CI)(M)"
I have had a lot of challenges with PowerShell and setting access control lists in the past, and so I resort to using icacls in my PowerShell scripts.
I'm applying "Read" permissions to a folder for a certain user. I want them to be able to read notepad files inside.
$Acl = Get-Acl "C:\Test"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Test" $Acl
My code properly applies the read permissions to the folder (I can manually check the "Security tab to see this), but does not grant access to the files inside. Access is denied when "MyUser" tries to open a notepad file.
You need to use another constructor so you can set InheritanceFlags for containers and leaf objects. Try:
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","ContainerInherit,ObjectInherit", "None", "Allow")
I have this script which sets folder permissions:
Get-Acl $IGXYSimFiles
$acl = Get-Acl $IGXYSimFiles
$acl.SetAccessRuleProtection($false,$true)
$rule = New-Object
System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object
System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Igloo-IGXY-Power-Users","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $IGXYSimFiles $acl
I need to add special permissions for the DL-GPA-UKI-Users group so that they can create subfolders in the $IGXYSimFiles folder but not files. They need to be able to create files in the subfolders which they've been allowed to create, but not any further subfolders.
I have achieved this by setting special permissions "Create Folder / Append Data" for "This Folder Only" and "Create Files / Write Data" for "Subfolders and Files Only". This is working great, but now comes the time where I need to edit my script to do this.
So I thought I would get-acl on the folder where I have manually set these permissions, this isn't returning the desired result:
AccessToString :
RISK\DL-GPA-UKI-Igloo-IGXY-Power-Users Allow Modify,Synchronize
RISK\DL-GPA-UKI-Users Allow AppendData, Synchronize
RISK\DL-GPA-UKI-Users Allow CreateFiles, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
RISK\Domain Admins Allow FullControl
RISK\DL-GPA-UKI-Readonly Allow ReadAndExecute, Synchronize
RISK\svcGIECSSPrd_EA Allow FullControl
RISK\DL-GPA-UKI-Users Allow ReadAndExecute, Synchronize
RISK\DL-GPA-AIMSSOPS Allow FullControl
As you can see its not displaying the "This Folder Only" or "Subfolders and files only" setting...
Is this possible with PowerShell?
Many thanks in advance
Chris
Absolutely. The default output for Get-Acl doesn't include the inheritance information, but it's there. Try this to get a friendlier output:
Get-ACL $IGXYSimFiles | % { $_.Access }
As for setting the ACL as desired, your script should do it, though you have one error in your rule. For "Create Files / Write Data" to be applied to "Subfolders and Files Only", you'll want to set the PropagationFlags to InheritOnly rather than None.
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","CreateFiles", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")
And this will set "Create Folder / Append Data" on this folder only:
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","AppendData", "None", "None", "Allow")