none
Powershell ntfs rights to a folder RRS feed

  • Question

  • Hi,

    I am trying to make a powershell script that can set permission of a group to a folder.
    At this moment i have

    New-Item -ItemType directory -Path \\127.0.0.1\Home$\\test

    $acl = Get-Acl \\127.0.0.1\Home$\\test

    $arguments = "REND\GroupA","ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow"

    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $arguments

    $acl.SetAccessRule($accessRule)

    $acl | Set-Acl \\127.0.0.1\Home$\\test


    What i want to do is to set the same group 2 times but with diffrent settings.
    If i do this in windows security i can do it in advanced but with powershell it cant.

    1: GroupA --> Write Allow (Not inherrited)
    2: GroupA --> Read Allow (Inherrited)

    How can i do this in powershell ?

    Greetings

    Marcel

    Friday, January 24, 2014 2:20 PM

Answers

  • Hi Marcel,

    here's an example on how to use the function:

    # Get Accessrules
    $acl = Get-Acl "C:\ExampleFolder"
    # Create write permissions for folder itself
    $rule1 = New-AccessRule -Name "TestUser" -Domain "TestDomain" -InheritNone -DontTouchMyFolders
    # Create read permissions for child items
    $rule2 = New-AccessRule -Name "TestUser" -Domain "TestDomain" -ReadOnly -ChildrenOnly
    # Add rules
    $acl.AddAccessRule($rule1)
    $acl.AddAccessRule($rule2)
    # Write permissions
    $acl | Set-Acl "C:\ExampleFolder"

    Rule 1 contains local write permissions without inheriting it to children, rule 2 only affects children. Works like a charm for me when I run it on my local machine or on a Domain joined server for domain users.

    Cheers, and I hope that works for you,
    Fred


    There's no place like 127.0.0.1

    • Marked as answer by MarcelBalk Monday, January 27, 2014 11:16 AM
    Monday, January 27, 2014 9:15 AM

All replies

  • Hi Marcel,

    you can do that by creating two accessrules, one that has flags for inheritance, the other that doesn't.

    This function may be of some assistance in that (Just paste it at the head of your script, and you can use the New-AccessRule function in your code).

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Friday, January 24, 2014 3:37 PM
  • Hi Fred,

    I tested the script and it only makes an access rule for 1 group/user when i execute the first time it is set.
    When i execute it the second time the group is over written.

    Is there realy no possiblility to add 2 groups to the security and set the properties for the folder in the first and the children on the second ?

    Greetings

    Marcel

    Monday, January 27, 2014 7:19 AM
  • Hi Marcel,

    here's an example on how to use the function:

    # Get Accessrules
    $acl = Get-Acl "C:\ExampleFolder"
    # Create write permissions for folder itself
    $rule1 = New-AccessRule -Name "TestUser" -Domain "TestDomain" -InheritNone -DontTouchMyFolders
    # Create read permissions for child items
    $rule2 = New-AccessRule -Name "TestUser" -Domain "TestDomain" -ReadOnly -ChildrenOnly
    # Add rules
    $acl.AddAccessRule($rule1)
    $acl.AddAccessRule($rule2)
    # Write permissions
    $acl | Set-Acl "C:\ExampleFolder"

    Rule 1 contains local write permissions without inheriting it to children, rule 2 only affects children. Works like a charm for me when I run it on my local machine or on a Domain joined server for domain users.

    Cheers, and I hope that works for you,
    Fred


    There's no place like 127.0.0.1

    • Marked as answer by MarcelBalk Monday, January 27, 2014 11:16 AM
    Monday, January 27, 2014 9:15 AM
  • Hi Fred,

    TNX ! this is a partial to my solution microsoft just gave me a update to powershell that has fixed the other end of my problem.

    Again tnx for the help !

    Marcel

    Monday, January 27, 2014 11:16 AM