none
Powershell to set permissions on domain folders in bulk RRS feed

  • Question

  • Hello all,

    I have a lot of folders on a file server that I have to apply permissions to in bulk and wanted to accomplish this with a CSV and powershell. I found this other article: here but it doesn't completely apply and I have different permissions I want to apply on the folder using different groups. Here is what I am envisioning, plus my current script below:

    Import the CSV and it would contain: group to be assigned to the folder,folder name (i can set the working directory in the script),permission (full, modify, read, list), replace or add permission (not sure if this one can be done)

    Then, the script would essentially read the CSV and assign the permissions with a ForEach loop. I am getting tripped up on how to lay this out though with how I am applying the permissions. I want to replace the permissions on the folders with the following:

    Full permission Group1 :DS-FOLDER1-F 

    Modify permission Group1 :DS-FOLDER1-M

    List permission Group1 :DS-FOLDER1-L

    THE ISSUE I AM HAVING: The script works, but sets the permissions on the shared folder AND the target subfolders folders. How can I get it to NOT set the permissions on the share folder itself? 

    Here is my script so far:

    $CSV = import-csv -Path ".\permissions.csv"
    $folder=$_.folder
    $FolderDir = "\\server\share"
    $acl = Get-Acl $FolderDir

    Import-module activedirectory

    #if ($acl.AreAccessRulesProtected) { $acl.Access | % {$acl.purgeaccessrules($_.IdentityReference)} }
    #else {
            $acl.Access | % {$acl.purgeaccessrules($_.IdentityReference)}
    $isProtected = $True
    $preserveInheritance = $False
    $acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
    # }

    Foreach ($folder in $csv) {
    $account= $_.account #This is the section that applies the permissions for Full Control
    if ($_.Permission -eq "fullcontrol")
    {
    $rights=[System.Security.AccessControl.FileSystemRights]::FullControl
    $inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
    $propagation=[System.Security.AccessControl.PropagationFlags]::None
    $allowdeny=[System.Security.AccessControl.AccessControlType]::Allow

    $dirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($account,$rights,$inheritance,$propagation,$allowdeny)
    $ACL.AddAccessRule($dirACE)
    }

    if ($_.Permission -eq "Modify") #This is the section that applies the permissions for Modify 
    {
    $rights=[System.Security.AccessControl.FileSystemRights]::"ExecuteFile,ReadData,ReadAttributes,ReadExtendedAttributes,WriteData,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,Read"
    $inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
    $propagation=[System.Security.AccessControl.PropagationFlags]::None
    $allowdeny=[System.Security.AccessControl.AccessControlType]::Allow

    $dirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($account,$rights,$inheritance,$propagation,$allowdeny)
    $ACL.AddAccessRule($dirACE)
    }

    if ($_.Permission -eq "Read") #This is the section that applies the permissions for Read
    {
    $rights=[System.Security.AccessControl.FileSystemRights]::Read
    $inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
    $propagation=[System.Security.AccessControl.PropagationFlags]::None
    $allowdeny=[System.Security.AccessControl.AccessControlType]::Allow

    $dirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($account,$rights,$inheritance,$propagation,$allowdeny)
    $ACL.AddAccessRule($dirACE)
    }

    Set-Acl -aclobject $ACL -Path $FolderDir
    Write-Host $FolderDir Permissions added

    }


    Saturday, March 5, 2016 3:25 PM

Answers

  • Thanks for the help! You actually got me started down a path and here is the finished product that works like a charm!!!

    I also references this link as well:

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/88e6f2a9-bf78-462d-82e7-b3aae5f3e11b/set-existing-directory-with-permissions-via-powershell-with-csv?forum=ITCG

    $ErrorActionPreference="silentlyContinue"
    Stop-Transcript | out-null
    $ErrorActionPreference = "Continue"
    Start-Transcript -Path .\AD-BulkAssignFolderPermissions.txt -append
    $csvfilepath=".\AD-BulkAssignFolderPermissions.csv"
    $records=Import-csv -path $csvfilepath 


    Import-module activedirectory -ErrorAction Stop -ErrorVariable err
    if($err){
        return
    }

    Foreach ($record in $Records) {
    #make sure fields aren't empty
    if ($Record.account.trim()-eq "" -or $Record.path.trim()-eq "" -or $Record.permission.trim()-eq "") {
        continue
    }

    $acl = Get-Acl -path $Record.Path -ErrorAction Stop
    #Make sure directory exists

    if ((test-path -path $Record.Path -pathtype Container) -eq $false){
        Write-Error "Folder '$Record.Path' does not exist." -ErrorAction Stop
    }

    $folder=Get-Item -Path $Record.Path -ErrorAction Stop -ErrorVariable Err
    if ($err) {
        Write-Error -ErrorRecord $err[0]
        Continue
    }

    try {
        $user=Get-ADGroup -Identity $Record.Account -ErrorAction SilentlyContinue
    }catch {
        Write-Error -ErrorRecord $_
        Continue
    }

    if ($user -eq $null) {
        Write-Error "$Record.Account Does Not Exist"
        Continue
    }

    if ($Record.Permission -eq "fullcontrol") #This is the section that applies the permissions for Full 
    {
    $fulldirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.account,"FullControl","ContainerInherit,ObjectInherit","None","Allow")

    $ACL.AddAccessRule($fulldirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account Full Permissions Added
    }

    if ($Record.Permission -eq "Modify") #This is the section that applies the permissions for Modify 
    {
    $ModDirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.Account,"ExecuteFile,ReadData,ReadAttributes,ReadExtendedAttributes,WriteData,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,Read","ContainerInherit,ObjectInherit","none","Allow")
    $ACL.AddAccessRule($ModdirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account Modify Permissions Added
    }

    if ($Record.Permission -eq "Read") #This is the section that applies the permissions for Read
    {

    $ReadDirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.Account,"Read","ContainerInherit,ObjectInherit","None","Allow")
    $ACL.AddAccessRule($ReadDirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account Read Permissions Added
    }

    if ($Record.Permission -eq "List") #This is the section that applies the permissions for List
    {

    $ListDirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.Account,"Read","ObjectInherit","NoPropagateInherit","Allow")
    $ACL.AddAccessRule($ListDirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account List Permissions Added
    }

    }
    Stop-Transcript

    • Marked as answer by Bigtwenty Friday, March 18, 2016 6:23 PM
    Friday, March 18, 2016 6:22 PM

All replies

  • This is what happens when you copy and paste code that you do not understand. The following is what you say you want to do.  The rest of your code cannot possibly work anywhere.

    import-csv permissions.csv |
    	where{ Test-Path $_.Path }|
    	ForEach-Object{
    		$acl = Get-Acl $_.folder
    		$acl.purgeaccessrules($_.Account)
    		$acl.SetAccessRuleProtection($true, $false)
    		$ace=New-Object System.Security.AccessControl.FileSystemAccessRule ($_.account,$_.Permission,'ContainerInherit,ObjectInherit','None','Allow')
    		$acl.AddAccessRule($dirACE)
    		Set-Acl -aclobject $acl -Path $_.folder
    		Write-Host $_.folder Permissions added
    	}
    
    

    You may not be able to do this if you have already run the bad code and somehow scrambled the DACLs.


    \_(ツ)_/






    • Edited by jrv Saturday, March 5, 2016 4:24 PM
    Saturday, March 5, 2016 4:14 PM
  • Thanks for the help and I will try that code and get back to you. Can you explain the Test-Path part of this, I don't see a condition in there such as "in" or "-eq". Sorry, I am still learning and have a ways to go. 
    Monday, March 7, 2016 7:19 PM
  • Simple:

    help test-path -full


    \_(ツ)_/

    Monday, March 7, 2016 7:20 PM
  • Thanks for the help! You actually got me started down a path and here is the finished product that works like a charm!!!

    I also references this link as well:

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/88e6f2a9-bf78-462d-82e7-b3aae5f3e11b/set-existing-directory-with-permissions-via-powershell-with-csv?forum=ITCG

    $ErrorActionPreference="silentlyContinue"
    Stop-Transcript | out-null
    $ErrorActionPreference = "Continue"
    Start-Transcript -Path .\AD-BulkAssignFolderPermissions.txt -append
    $csvfilepath=".\AD-BulkAssignFolderPermissions.csv"
    $records=Import-csv -path $csvfilepath 


    Import-module activedirectory -ErrorAction Stop -ErrorVariable err
    if($err){
        return
    }

    Foreach ($record in $Records) {
    #make sure fields aren't empty
    if ($Record.account.trim()-eq "" -or $Record.path.trim()-eq "" -or $Record.permission.trim()-eq "") {
        continue
    }

    $acl = Get-Acl -path $Record.Path -ErrorAction Stop
    #Make sure directory exists

    if ((test-path -path $Record.Path -pathtype Container) -eq $false){
        Write-Error "Folder '$Record.Path' does not exist." -ErrorAction Stop
    }

    $folder=Get-Item -Path $Record.Path -ErrorAction Stop -ErrorVariable Err
    if ($err) {
        Write-Error -ErrorRecord $err[0]
        Continue
    }

    try {
        $user=Get-ADGroup -Identity $Record.Account -ErrorAction SilentlyContinue
    }catch {
        Write-Error -ErrorRecord $_
        Continue
    }

    if ($user -eq $null) {
        Write-Error "$Record.Account Does Not Exist"
        Continue
    }

    if ($Record.Permission -eq "fullcontrol") #This is the section that applies the permissions for Full 
    {
    $fulldirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.account,"FullControl","ContainerInherit,ObjectInherit","None","Allow")

    $ACL.AddAccessRule($fulldirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account Full Permissions Added
    }

    if ($Record.Permission -eq "Modify") #This is the section that applies the permissions for Modify 
    {
    $ModDirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.Account,"ExecuteFile,ReadData,ReadAttributes,ReadExtendedAttributes,WriteData,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,Read","ContainerInherit,ObjectInherit","none","Allow")
    $ACL.AddAccessRule($ModdirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account Modify Permissions Added
    }

    if ($Record.Permission -eq "Read") #This is the section that applies the permissions for Read
    {

    $ReadDirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.Account,"Read","ContainerInherit,ObjectInherit","None","Allow")
    $ACL.AddAccessRule($ReadDirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account Read Permissions Added
    }

    if ($Record.Permission -eq "List") #This is the section that applies the permissions for List
    {

    $ListDirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($Record.Account,"Read","ObjectInherit","NoPropagateInherit","Allow")
    $ACL.AddAccessRule($ListDirACE)
    Set-Acl -aclobject $ACL -Path $Record.Path
    Write-Host $Folder for $Record.Account List Permissions Added
    }

    }
    Stop-Transcript

    • Marked as answer by Bigtwenty Friday, March 18, 2016 6:23 PM
    Friday, March 18, 2016 6:22 PM