I've created 3 support functions:
Remove-Permission
function Remove-Permission($StartingDir, $UserOrGroup = "", $All = $false) {
$acl = get-acl -Path $StartingDir
if ($UserOrGroup -ne "") {
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $UserOrGroup) {
$acl.RemoveAccessRule($access) | Out-Null
}
}
}
if ($All -eq $true) {
foreach ($access in $acl.Access) {
$acl.RemoveAccessRule($access) | Out-Null
}
}
Set-Acl -Path $folder.FullName -AclObject $acl
}
Set-Inheritance
function Set-Inheritance($StartingDir, $DisableInheritance = $false, $KeepInheritedAcl = $false) {
$acl = get-acl -Path $StartingDir
$acl.SetAccessRuleProtection($DisableInheritance, $KeepInheritedAcl)
$acl | Set-Acl -Path $StartingDir
}
Set-Permission
function Set-Permission($StartingDir, $UserOrGroup = "", $InheritedFolderPermissions = "ContainerInherit, ObjectInherit", $AccessControlType = "Allow", $PropagationFlags = "None", $AclRightsToAssign) {
### The possible values for Rights are:
# ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, Synchronize, FullControl
# ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes
# WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership
### Principal expected
# domain\username
### Inherited folder permissions:
# Object inherit - This folder and files. (no inheritance to subfolders)
# Container inherit - This folder and subfolders.
# Inherit only - The ACE does not apply to the current file/directory
#define a new access rule.
$acl = Get-Acl -Path $StartingDir
$perm = $UserOrGroup, $AclRightsToAssign, $InheritedFolderPermissions, $PropagationFlags, $AccessControlType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
set-acl -Path $StartingDir $acl
}
Those 3 little methods are actually really powerful. I had little task where in F:\Shares directory there were user folders. Each folder having same permissions. What was expected is to remove current permissions and set new ones. User (with same name as folder name) had to have Read access, but others required special permissions. Above methods allowed me to easily set inheritance, remove permissions and finally set permissions on NTFS folder and all of the files inside.
Set-StrictMode -Version Latest
Clear-Host
import-module ActiveDirectory
$path = "F:\Shares\PersonalTesting"
function FindAndFixFolders() {
$folders = Get-ChildItem -Path $path -Directory | Select Name, FullName
foreach ($folder in $folders) {
Set-Inheritance $folder.FullName -DisableInheritance $true -KeepInheritedAcl $false
#Remove-Permission $folder.FullName -UserOrGroup "Domain\srv.pklys"
#Remove-Permission $folder.FullName -All $true
Set-Permission $folder.FullName -UserOrGroup "Domain\$($folder.Name)" -AclRightsToAssign "ReadAndExecute"
Set-Permission $folder.FullName -UserOrGroup "Domain\Domain Admins" -AclRightsToAssign "FullControl"
Set-Permission $folder.FullName -UserOrGroup "BUILTIN\Administrators" -AclRightsToAssign "FullControl"
Set-Permission $folder.FullName -UserOrGroup "BUILTIN\Administrators" -AclRightsToAssign "FullControl"
Set-Permission $folder.FullName -UserOrGroup "SYSTEM" -AclRightsToAssign "FullControl"
Set-Permission $folder.FullName -UserOrGroup "Domain\domain.pklys" -AclRightsToAssign "FullControl"
Remove-Permission $folder.FullName -UserOrGroup "BUILTIN\Users"
}
}
While the code is not complete solution to working with NTFS permissions it should be enough to get things working 🙂 In easy, predictable way.