locked
Set Security Permissions on all Folders entitled "Invoices" RRS feed

  • Question

  • Is there a way in Windows Server 2016 to recursively search through all folders inside a filesystem directory and change the security permissions on any folder or subfolder that has a specific name?

    For instance, I would like to take the following folders...

    S:\Company\C\Contoso\Invoices

    S:\Company\F\Fabrikam\Invoices

    ... and remove the folder's permission inheritance and give the domain group "Accounts Payable Dept" Read/Write access. At the same time, I do not want to change the permissions for

    S:\Company\C\Contoso\Job Templates

    S:\Company\F\Fabrikam\Contracts

    Any help would be appreciated! Thanks in advance

    Wednesday, June 13, 2018 4:44 PM

Answers

  • You have to set the protection to $false to remove the rules.

    This will remove the inherited ACEs.

    $acl = Get-Acl d:\testjunk1
    $acl.SetAccessRuleProtection($true,$false)
    $acl | Set-Acl d:\testjunk1


    \_(ツ)_/

    • Marked as answer by Kaleb Hosie Wednesday, June 20, 2018 2:00 PM
    Wednesday, June 20, 2018 1:15 PM

All replies

  • I start you out; yes, it is possible.
    Wednesday, June 13, 2018 4:48 PM
  • For setting the ACL, try this (or do your own search for "how to"):

    https://stackoverflow.com/questions/25779423/powershell-to-set-folder-permissions

    To recurse through a directory, use Get-ChildItem with the -Recurse switch.

    If you don't want to change files in those directories either specify the directory you DO want, or in the ForEach you'll pipe the output of Get-ChildItem to, examine each item and skip the ones you don't want to modify.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Wednesday, June 13, 2018 6:57 PM
  • I found a TechNet article which gives a script that is very similar to what I'm trying to accomplish.

    So far my minor tweaks have worked but I'm a bit stuck on the inherited permissions part.

    The script disables inheritance but it doesn't move old inherited permissions. Any idea how I can update it to do this?

    This is my script so far:

    #ChangeACL.ps1
    $Right="FullControl"
    
    $StartingDir="H:\Data\tmp"
    $Principal="CONTOSO\CyriousInvoices"
    
    $rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,'ContainerInherit,ObjectInherit','None','Allow')
    
    foreach ($file in $(Get-ChildItem $StartingDir -recurse | Where-Object { $_.FullName -match 'Invoices' })) {
      $acl=get-acl $file.FullName
     
      #Add this access rule to the ACL
      $acl.SetAccessRuleProtection($True, $True)
      $acl.SetAccessRule($rule)
      #Write the changes to the object
      set-acl $File.Fullname $acl
      }
    
    

    Wednesday, June 20, 2018 2:57 AM
  • #Add this access rule to the ACL
    $acl
    .SetAccessRuleProtection($True, $True)
    set-acl $File.Fullname $acl  # <<<< ------ must update first.$acl.SetAccessRule($rule)
    #Write the changes to the object
    set-acl $File.Fullname $acl

     

    \_(ツ)_/

    Wednesday, June 20, 2018 3:31 AM
  • Thanks for your reply @jrv!

    I don't think I'm understanding your direction though :S

    I changed my script to this:

      #Add this access rule to the ACL
      $acl.SetAccessRuleProtection($True, $True)
      
      #Write the changes to the object
      set-acl $File.Fullname $acl
      $acl.SetAccessRule($rule)

    Essentially, I swapped order of the "$acl.SetAccessRule ($rule)" and "set-acl $File.Fullname $acl" commands. That's what you were suggesting, right??

    I reran the script now, the script is disabling inheritance but it isn't removing the old inherited items and it's not adding my new security group.

    Thanks!!

    Wednesday, June 20, 2018 1:03 PM
  • One further thought.

    There may be an easier way to do what I'm asking. The script above works for me. The only problem is that after I run it, I need to remove the group "CONTOSO\Users" from having access to see that folder.

    Is there an easy way to remove this specific group from having permission to the "invoice" folder?


    • Edited by Kaleb Hosie Wednesday, June 20, 2018 1:16 PM
    Wednesday, June 20, 2018 1:15 PM
  • You have to set the protection to $false to remove the rules.

    This will remove the inherited ACEs.

    $acl = Get-Acl d:\testjunk1
    $acl.SetAccessRuleProtection($true,$false)
    $acl | Set-Acl d:\testjunk1


    \_(ツ)_/

    • Marked as answer by Kaleb Hosie Wednesday, June 20, 2018 2:00 PM
    Wednesday, June 20, 2018 1:15 PM
  • One further thought.

    There may be an easier way to do what I'm asking. The script above works for me. The only problem is that after I run it, I need to remove the group "CONTOSO\Users" from having access to see that folder.

    Is there an easy way to explicitly remove this specific group from having permission to the "invoice" folder?

    Add a "Deny" ACE.


    \_(ツ)_/

    Wednesday, June 20, 2018 1:16 PM
  • This module can make these settings much easier to use and understand:

    Install-Module NTFSSecurity


    \_(ツ)_/

    Wednesday, June 20, 2018 1:18 PM
  • Thanks @jrv! Changing the line to $False worked!! Thanks!!

    Doing this made me run into another problem though because once I ran the script on my test directory, it removed Administrator's access to the folders. I guess I could add the administrator username to the "CyriousInvoices" group but I'd rather Administrator have access personally.

    After some problem solving, I came up with a solution. The solution is to remove all inherited permissions and give "Administrator" full control. After the script completes this, run another "foreach" which simply adds the other group I want to have access.

    Here is my script incase anyone else finds this of help:

    #ChangeACL.ps1
    
    #Variables
    $Right="FullControl"
    $StartingDir="H:\My\File\Directory"
    $Principal="CONTOSO\Administrator"
    
    #### First We Remove All Inherited Permissions And Give Administrators Group Full Access. ####
    
    $rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,'ContainerInherit,ObjectInherit','None','Allow')
    
    foreach ($file in $(Get-ChildItem $StartingDir -recurse | Where-Object { $_.FullName -match 'Invoices' })) {
      $acl=get-acl $file.FullName
     
      #Add this access rule to the ACL
      $acl.SetAccessRuleProtection($True, $False)
      $acl.SetAccessRule($rule)
      #Write the changes to the object
      set-acl $File.Fullname $acl
      }
    
    
    
    #### Now add the CyriousInvoices group Full Access. ####
    
    $Principal="CONTOSO\MyADGroup"
    
    $rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow")
    
    foreach ($file in $(Get-ChildItem $StartingDir -recurse | Where-Object { $_.FullName -match 'Invoices' })) {
      $acl=get-acl $file.FullName
     
      #Add this access rule to the ACL
      $acl.SetAccessRule($rule)
      
      #Write the changes to the object
      set-acl $File.Fullname $acl
      }

    Please note: I realize there must be a more efficient method of doing this without having to run a "foreach" loop twice but at least it accomplishes what I was set out to do.

    Thanks to @jrv for the help!

    Wednesday, June 20, 2018 1:59 PM