locked
Assigning permissions to folders via powershell RRS feed

  • Question

  • Hi experts,

    I am trying to assign modify permission to folders and files within a folder recursively using PowerShell. However, I am getting lot of these errors. Please advise.

    Set-Acl : The security identifier is not allowed to be the owner of this object.
    At C:\Folderpermissions.ps1:10 char:1
    + Set-Acl $path $acl
    + ~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (E:\Data\Team Su...rategy Proposal:String) [Set-Acl], InvalidOperationException
        + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand
     

    You cannot call a method on a null-valued expression.
    At C:\Folderpermissions.ps1:8 char:1
    + $acl = (Get-Item $path).GetAccessControl('Access')
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     

    $location = "E:\Data\Path_of_folder"
    $group = "SecurityGroup_RW"
    $rule = New-Object system.security.accesscontrol.filesystemaccessrule($group,"Modify","ContainerInherit,ObjectInherit","None","Allow")
    $folders = Get-Childitem $location -Recurse | Where-Object {$_.PSISContainer}
    Foreach ($folder in $folders) {
    $path = $folder.FullName
    $acl = (Get-Item $path).GetAccessControl('Access')
    $acl.SetAccessRule($rule)
    Set-Acl $path $acl
    }

    Wednesday, August 7, 2019 2:36 AM

Answers

  • This is how to write this and also how to correctly indent and format your code.

    $location = 'E:\Data\Path_of_folder'
    $group = 'SecurityGroup_RW'
    $rule = New-Object system.security.accesscontrol.filesystemaccessrule($group, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
    
    Get-Childitem $location -Recurse -Directory| 
        ForEach-Object{
            Try{
                $acl = Get-Acl $_ -ErrorAction Stop
                $acl.AddAccessRule($rule)
                $acl | Set-Acl $_ -ErrorAction Stop
            }
            Catch{
                Throw $_
            }
        }

    Getting Started with Microsoft PowerShell

    The PowerShell Best Practices and Style Guide



    \_(ツ)_/

    Wednesday, August 7, 2019 3:42 AM

All replies

  • This is how to write this and also how to correctly indent and format your code.

    $location = 'E:\Data\Path_of_folder'
    $group = 'SecurityGroup_RW'
    $rule = New-Object system.security.accesscontrol.filesystemaccessrule($group, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
    
    Get-Childitem $location -Recurse -Directory| 
        ForEach-Object{
            Try{
                $acl = Get-Acl $_ -ErrorAction Stop
                $acl.AddAccessRule($rule)
                $acl | Set-Acl $_ -ErrorAction Stop
            }
            Catch{
                Throw $_
            }
        }

    Getting Started with Microsoft PowerShell

    The PowerShell Best Practices and Style Guide



    \_(ツ)_/

    Wednesday, August 7, 2019 3:42 AM
  • Hi JRV,

    I am getting this error. Please advice. Thanks. 

    Get-Childitem : Cannot find path 'Folder1' because it does not exist.

    At C:\Folderpermissions2.ps1:5 char:1

    + Get-Childitem $location -Recurse -Directory|

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : ObjectNotFound: (:) [Get-ChildItem], ItemNotFoundException

        + FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetChildItemCommand

    Wednesday, August 7, 2019 9:30 PM
  • Hi all, 

    you may also consider using NTFSSecurity powershell module:

    https://www.powershellgallery.com/packages/NTFSSecurity/4.2.6

    It is really easy to apply NTFS permissions with it and also do auditing. 

    This article describes how it works: 

    https://blogs.technet.microsoft.com/fieldcoding/2014/12/05/ntfssecurity-tutorial-1-getting-adding-and-removing-permissions/

    Best regards, 

    Ivan 

    Friday, August 23, 2019 11:45 AM
  • You should be using inherited permissions. At the "E:\Data\xxxx" level the permissions would be xxxx-owners full control, xxxx-read-write Modify, and xxxx-read-only Read. This inheritance would be applied to all subfolders so that if you need to add another group, you only have to make the change at the "E:\Data\xxxx" folder.

    Inheritance should only be disabled for highly secure folders. For example E:\Data\HumanResources\Secure\Salaries. 

        
    Friday, August 23, 2019 2:08 PM