locked
Set ACL RRS feed

  • Question

  • Hello

    I have a folder on the server for end-users' archived emails.  Of course each user will only be able to access their own folder.

    The foldernames are the same as the SamUserAccount name (first initial, last name).

    It appears that all permissions that "were" set on these folders have been destroyed (by copy/move as we were fixing another issue).

    So, Now I need to set the permissions on all these folders (approx 400).

    The following is needed:

    Admins - full controls

    Domain Admins - Full Control

    Desktop Admins - Full Control

    System - Full control

    User whose folder it is - Modify

    Other domain users - none

    Creator Owner - not needed to be listed.

    Ex: username: bsmith , foldername: bsmith

    Admins -full control, Domain Admins - full control, desktop Admins - full control, System -Full control bsmith - Modify

    So far this is what I have:

    $EmailArchivePath = "\\Domain\Env\EmailArchive"
    $Userlist = Get-ChildItem $EmailArchivePath | Select Name
    foreach ($User in $Userlist.name) {
        $Uname = Get-ADUser $User | Select-object -ExpandProperty SamAccountName
        $Userfolder = $user.name
        $ACL1=Get-ACL -path $EmailArchivePath\$UName
                Set-ACL -path $EmailArchivePath\$User.name -AclObject $ACL1
                Add-NTFSAccess -Path $EmailArchivePath\$User.name -Account $Uname -AccessRights Modify
    }    
    

    I'm not sure how to add All the access for all the accounts to the Set-ACL

    Any suggestions?

    Thank You

    Terry

    Monday, April 1, 2019 5:40 PM

All replies

  • Ok, I think I have figured it out:

    #$EmailArchivePath = "\\domain\Env\EmailArchive"
    $EmailArchivePath = "E:\Userslist"
    $Admins = "Domain Admins", "Desktop_Admin", "DA_Admin", "System"
    $regUsers = "Users"
    #Get a list of the folders (folders names are the same as the username (SamAccountName)
    $Userlist = Get-ChildItem $EmailArchivePath | Select-Object -ExpandProperty Name
    #Iterate through the folders
    foreach ($User in $Userlist) {
        #Lookup the foldername (username) in AD and pull the SamAccountName
        $Uname = Get-ADUser $User | Select-object -ExpandProperty SamAccountName
        $Userfolder = $user
        #Get the ACL for the users' folder
        $ACL1=Get-ACL -path "$EmailArchivePath\$Userfolder"
                #Set the ACL for each folder - current User
                Set-ACL -path "$EmailArchivePath\$Userfolder" $ACL1
                Add-NTFSAccess -Path "$EmailArchivePath\$User" -Account $Uname -AccessRights Modify
                #Assign NTFS permissions for each of the Admin Groups ($Admins)
                Foreach($Acc in $Admins) {
                Add-NTFSAccess -Path "$EmailArchivePath\$User" -Account $Acc -AccessRights FullControl
    }    
    }

    This, I think works.  It seems to work ok in my test environment.  However, What I would like to do is to remove NTFS permissions for all users, and then add only the permissions for the users I want to; and I would like to break inheritance from above, and apply these permissions to all child object.

    Thank you

    Terry

    Monday, April 1, 2019 9:25 PM
  • Hi,

    Thanks for your question.

    About disable or enable permissions inheritance, you can use "SetAccessRuleProtection" method. This method has two parameters:

    • The first parameter is responsible for blocking inheritance from the parent folder. It has two states: "$true" and "$false".
    • The second parameter determines whether the current inherited permissions are retained or removed. It has the same two states: "$true" and "$false".

    The example of disabling inheritance for the test1 folder and delete all inherited permissions as well.

    $acl=Get-Acl C:\temp\test0402\test1
    $acl.SetAccessRuleProtection($true,$false)
    $acl | Set-Acl C:\temp\test0402\test1

    I think you use the "Set-Acl" cmdlet incorrectly. You don't need to get the same folder acl and then set it to the same ACL. It will not change the folder ACL. This is redundant. You can get one folder acl and then set it to other folders.

    Please refer the links below:

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-6

    https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/

    https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/

    Best regards,

    Lee


    Just do it.


    Tuesday, April 2, 2019 2:47 AM
  • Thank you that is very helpful.

    I have not figured it all out yet, but well on my way.

    Question:  In my list of users/groups on my security tab, I have a group called compname\Users.  How can I get rid of this account.  Nothing seems to work.

    Thank You

    Terry

    Tuesday, April 2, 2019 3:33 PM
  • Hi Terry,

    Thanks for your reply.

    If you use the SetAccessRuleProtection function and delete the current inherited permissions, you will found no groups or users have permission to access this object.

    Also, you can remove specific group permissions by “Remove-NTFSAccess” PowerShell cmdlet.

    For example:

    Remove-NTFSAccess D:\Data -Account RAANDREE0\randr_000 -AccessRights Read -PassThru

    Best regards,

    Lee


    Just do it.

    • Proposed as answer by ComputerScott Monday, April 8, 2019 10:35 PM
    Wednesday, April 3, 2019 2:35 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Monday, April 8, 2019 8:46 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Wednesday, April 10, 2019 9:03 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Monday, April 22, 2019 3:21 AM