none
File System Rights DeleteSubdirectoriesAndFiles but not parent folder RRS feed

  • Question

  • I have to solve the following problem. 
    On 200 folders (and every new additional folders) the permissions for a group should be set in this way that group members 
    only can delete subfolders an files but not the parent foldler.
    Folder Properties>Security>Advanced>Permission>Change Permission>"Group1">Edit
    Flag on "Delete" not set.
    Flag on "Delet subfolders and files" set.
    I only have to remove the "Delete" flag.
    The Flag "Delete subfolders an files" is set, because group memers do have full access to subfolders and files. Only deleting of the parent folder must be prevented.

    How can I do this by Powershell script?

    Thanks for any support.

    Thursday, July 3, 2014 1:16 PM

Answers

  • Try this:

    # Define the path and principal (these don't have to be variables)
    $Path = "C:\powershell\perm_test\1"
    $Principal = "Everyone"
    
    # Create an ACE that allows the principal to delete the object only (notice inheritance
    # and propagation flags)
    $Ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
        $Principal, "Delete", 
        [System.Security.AccessControl.InheritanceFlags]::None, 
        [System.Security.AccessControl.PropagationFlags]::None, 
        [System.Security.AccessControl.AccessControlType]::Allow
    )
    
    # Get SD, then call RemoveAccessRule, which will magically take just the access
    # you have in the ACE away:
    $SD = Get-Acl $Path
    $SD.RemoveAccessRule($Ace)
    
    # Apply (don't use Set-Acl if you're not the owner b/c it will fail)
    (Get-Item $Path).SetAccessControl($SD)
    


    My PowerShellAccessControl module can do this, too. If you do this type of thing interactively from the shell a lot, you should check it out. It can supplement or replace Get-Acl and Set-Acl. If you still want to use them, you could replace the New-Object call above with this line:

    $Ace = New-AccessControlEntry -Principal $Principal -FolderRights Delete -AppliesTo Object

    Everything else in that example would be the same.

    You could also do all of that in the following line of code using the module:

    # Uncomment -Force param to make it silent
    $Path | Remove-AccessControlEntry -Principal $Principal -FolderRights Delete -AppliesTo Object #-Force

    Anyway, try the first example out (no module necessary) and see if it does what you're looking for. Let me know if you have any questions.

    • Proposed as answer by FWN Thursday, July 3, 2014 3:52 PM
    • Marked as answer by ScriptingWifeModerator Tuesday, August 12, 2014 12:04 AM
    Thursday, July 3, 2014 1:44 PM

All replies

  • Try this:

    # Define the path and principal (these don't have to be variables)
    $Path = "C:\powershell\perm_test\1"
    $Principal = "Everyone"
    
    # Create an ACE that allows the principal to delete the object only (notice inheritance
    # and propagation flags)
    $Ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
        $Principal, "Delete", 
        [System.Security.AccessControl.InheritanceFlags]::None, 
        [System.Security.AccessControl.PropagationFlags]::None, 
        [System.Security.AccessControl.AccessControlType]::Allow
    )
    
    # Get SD, then call RemoveAccessRule, which will magically take just the access
    # you have in the ACE away:
    $SD = Get-Acl $Path
    $SD.RemoveAccessRule($Ace)
    
    # Apply (don't use Set-Acl if you're not the owner b/c it will fail)
    (Get-Item $Path).SetAccessControl($SD)
    


    My PowerShellAccessControl module can do this, too. If you do this type of thing interactively from the shell a lot, you should check it out. It can supplement or replace Get-Acl and Set-Acl. If you still want to use them, you could replace the New-Object call above with this line:

    $Ace = New-AccessControlEntry -Principal $Principal -FolderRights Delete -AppliesTo Object

    Everything else in that example would be the same.

    You could also do all of that in the following line of code using the module:

    # Uncomment -Force param to make it silent
    $Path | Remove-AccessControlEntry -Principal $Principal -FolderRights Delete -AppliesTo Object #-Force

    Anyway, try the first example out (no module necessary) and see if it does what you're looking for. Let me know if you have any questions.

    • Proposed as answer by FWN Thursday, July 3, 2014 3:52 PM
    • Marked as answer by ScriptingWifeModerator Tuesday, August 12, 2014 12:04 AM
    Thursday, July 3, 2014 1:44 PM
  • Hi Rohn

    Your response was incredibly fast.
    Thanks a lot

    I have tried the first example. It works almost correctly.
    As you can imagine, I prefer the solution without module.

    After running the script the folder had two access right entries for my test group.
    First entry was correct with flag set on "Delete subfolder and files" and all other entries, but no flag set on "Delete".
    This is what I want.
    But there was an second access right entry for the same group with only on flag set on "Delete"
    Therefore the group members would still have delete rights for parent folder.

    Do you know why this happend?

    Thursday, July 3, 2014 2:15 PM
  • Hi Rohn

    Your response was incredibly fast.
    Thanks a lot

    I have tried the first example. It works almost correctly.
    As you can imagine, I prefer the solution without module.

    After running the script the folder had two access right entries for my test group.
    First entry was correct with flag set on "Delete subfolder and files" and all other entries, but no flag set on "Delete".
    This is what I want.
    But there was an second access right entry for the same group with only on flag set on "Delete"
    Therefore the group members would still have delete rights for parent folder.

    Do you know why this happend?

    Take a closer look at that second ACE. It should only apply to sub folders and files. The first one should say that it applies to the folder only. You could also check the output of the 'Get-AccessControlEntry' function (in the module), and it would show 'O' under AppliesTo (for object only) for the first ACE and 'CC CO' under AppliesTo (for child containers and child objects) for the second ACE.

    Edited:
    Correction: The delete ACE should show subfolders and files only. The first ACE will apply to the folder, subfolders, and files, but it will be missing the 'Delete' right. 

    Thursday, July 3, 2014 2:19 PM
  • Hi Rohn

    Sorry, I have to correct my previous statement.

    All works as desired.

    First access right entry with no flag on "Delete" is for "This folder, subfolder and files".
    Second entry with flag on "Delete" ist for "Only subfolders and files".

    So all works perfect.

    Thanks a lot for your incredible support. :-)

    Kind regards
    David

    Thursday, July 3, 2014 2:24 PM
  • You're welcome
    Thursday, July 3, 2014 2:29 PM