Can the GUI operation “replace permission entries on all child objects with entries shown here that apply to child objects” be scripted in PowerShell?
-
Tuesday, July 10, 2012 2:40 AM
Hello,<o:p></o:p>
I have a simple use case but having trouble finding any examples…<o:p></o:p>
Starting with 2 base paths foo and bar:<o:p></o:p>
D:\foo\dir1<o:p></o:p>
D:\tmp\bar\dir2<o:p></o:p>
I have set my ACL list manually through the GUI on foo and checked “replace permission entries on all child objects with entries shown here that apply to child objects “<o:p></o:p>
This operation “removes” all explicit permissions on foo recursively (This is what I want)<o:p></o:p>
Then I want to copy this same ACL to bar with something like<o:p></o:p>
$fooACL = get-acl D:\foo<o:p></o:p>
set-acl -path D:\tmp\bar -AclObject $ fooACL<o:p></o:p>
The ACL indeed gets set on bar but the problem is that all explicit ACE remain under bar (for example on dir2).<o:p></o:p>
How can I remove all explicit (non inherited permissions) from bar?<o:p></o:p>
Thanks<o:p></o:p>
All Replies
-
Tuesday, July 10, 2012 9:33 AMModerator
it seems there is no recurse parameter on set-acl, therefore you have to do it manually like this
$fooACL = get-acl c:\temp\foo $path = "C:\temp\bar" set-acl -path C:\temp\bar -AclObject $fooACL #set sub folders and files foreach ($entry in (dir $path -Recurse)) { set-acl -path $entry.FullName -AclObject $fooACL }This will replace ACL on all FILES and FOLDER inside $path
:)
Best Regards
Jakob Gottlieb Svendsen
Trainer/Consultant - Coretech A/S - Blog
MCT - MCTS - VB.NET - C#.NET - Powershell - VBScript Mastering System Center Orchestrator 2012 - 3 day workshop - worldwide training click here- Proposed As Answer by Jakob Gottlieb SvendsenModerator Tuesday, July 10, 2012 9:37 AM
-
Tuesday, July 10, 2012 2:05 PM
Not something you want to do without a very good reason.
¯\_(ツ)_/¯
-
Friday, July 13, 2012 2:47 AM
The problem with this solution as it will explicitly “set” the ACL “directly” on $path and child object.
When you select “replace permission entries on all child objects with entries shown here that apply to child objects” it does not set the ACL directly rather the ACL shows that the permission is “inherited” from the parent (in this case bar) and that is what I want.
-
Friday, July 13, 2012 6:51 AM
The GUI does this manually. There is no switch you can set to do this. You must explicitly apply to each object.
¯\_(ツ)_/¯
-
Friday, July 13, 2012 6:20 PM
Actually found a way…
To Crack this nut the problem needs to be looked at a different way…
To replicate what the GUI does you have to set the ACL directly on the top folder and then recursively “remove” only the explicit permissions. The permissions set at the top are inherited by child objects.
I found a good example here and with one tweak to where clause to accomplish this objective.
http://razor3dg3.wordpress.com/2011/10/30/powershell-remove-unknown-user-permission/
get-acl D:\foo\dir1 | set-acl -path D:\Temp\bar\dir2 $location = "D:\Temp\bar\dir2"; #Search recursivly through location defined; get-childitem -r $location | foreach{ $tempLocation = $_.FullName; #Get ACL for tempLocation; $acl = get-acl $tempLocation; #Get SID of explicit ACL; $acl.Access | where{ $_.isinherited -like $false} | foreach{ #Foreach SID purge the SID from the ACL; $acl.purgeaccessrules($_.IdentityReference); #Reapply ACL to file or folder without SID; Set-Acl -AclObject $acl -path $tempLocation; } }
- Marked As Answer by agianni2 Friday, July 13, 2012 6:20 PM
.png)
