Manage NTFS permissions with Powershell

I've created 3 support functions:

Remove-Permission

function Remove-Permission($StartingDir, $UserOrGroup = "", $All = $false) {
    $acl = get-acl -Path $StartingDir
    if ($UserOrGroup -ne "") {
        foreach ($access in $acl.Access) {
            if ($access.IdentityReference.Value -eq $UserOrGroup) {
                $acl.RemoveAccessRule($access) | Out-Null
            }
        }
    } 
    if ($All -eq $true) {
        foreach ($access in $acl.Access) {
            $acl.RemoveAccessRule($access) | Out-Null
        }

    }
    Set-Acl -Path $folder.FullName -AclObject $acl
}

Set-Inheritance

function Set-Inheritance($StartingDir, $DisableInheritance = $false, $KeepInheritedAcl = $false) {
    $acl = get-acl -Path $StartingDir
    $acl.SetAccessRuleProtection($DisableInheritance, $KeepInheritedAcl)
    $acl | Set-Acl -Path $StartingDir
}

Set-Permission

function Set-Permission($StartingDir, $UserOrGroup = "", $InheritedFolderPermissions = "ContainerInherit, ObjectInherit", $AccessControlType = "Allow", $PropagationFlags = "None", $AclRightsToAssign) {
    ### The possible values for Rights are:
    # ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, Synchronize, FullControl
    # ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes 
    # WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership

    ### Principal expected
    # domain\username 

    ### Inherited folder permissions:
    # Object inherit    - This folder and files. (no inheritance to subfolders)
    # Container inherit - This folder and subfolders.
    # Inherit only      - The ACE does not apply to the current file/directory

    #define a new access rule.
    $acl = Get-Acl -Path $StartingDir
    $perm = $UserOrGroup, $AclRightsToAssign, $InheritedFolderPermissions, $PropagationFlags, $AccessControlType
    $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
    $acl.SetAccessRule($rule)
    set-acl -Path $StartingDir $acl
}

Those 3 little methods are actually really powerful. I had little task where in F:\Shares directory there were user folders. Each folder having same permissions. What was expected is to remove current permissions and set new ones. User (with same name as folder name) had to have Read access, but others required special permissions. Above methods allowed me to easily set inheritance, remove permissions and finally set permissions on NTFS folder and all of the files inside.

Set-StrictMode -Version Latest
Clear-Host
import-module ActiveDirectory
$path = "F:\Shares\PersonalTesting"

function FindAndFixFolders() {
    $folders = Get-ChildItem -Path $path -Directory | Select Name, FullName
    foreach ($folder in $folders) {
        Set-Inheritance $folder.FullName -DisableInheritance $true -KeepInheritedAcl $false
        #Remove-Permission $folder.FullName -UserOrGroup "Domain\srv.pklys"
        #Remove-Permission $folder.FullName -All $true
        Set-Permission $folder.FullName -UserOrGroup "Domain\$($folder.Name)" -AclRightsToAssign "ReadAndExecute"
        Set-Permission $folder.FullName -UserOrGroup "Domain\Domain Admins" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "BUILTIN\Administrators" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "BUILTIN\Administrators" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "SYSTEM" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "Domain\domain.pklys" -AclRightsToAssign "FullControl"
        Remove-Permission $folder.FullName -UserOrGroup "BUILTIN\Users"
    }
}

While the code is not complete solution to working with NTFS permissions it should be enough to get things working 🙂 In easy, predictable way.