none
Script Grant Full Access Permission on Multiple Folders and Sub-Folders RRS feed

  • Question

  • Hi, I'm having a issue trying to run this script. 

    1.)It provides each folder with "Special" Permission over them. (Read, Write, Modify, Full control). Is there a way of making it "Full Control" Permission instead of special permission?

    or

    2.) Is there a way to make the Object Apply to "This Folder,sub folders and files" (when i change it manually this it changes to Full Control Access)?

    What I tried doing in the following script is removing the inheritance of the folder then applying its level of authentication. I do get some errors and I'm pretty sure it's has to do with some files being password protected.

    $domainG = "Domain\Group"
    $dir = "X:\Folder\Folder\*\SameName"
    $subfolder = Join-Path $dir "\*"
    $subsubfolder = Join-Path $subfolder "\*"
    $subsubsubfolder = Join-Path $subsubfolder "\*"
    $subsubsubsubfolder = Join-Path $subsubsubfolder "\*"
    
    $acl = Get-Item $dir |get-acl
    
    #This removes inheritance
    $acl.SetAccessRuleProtection($true,$true)
    $acl |Set-Acl
    
    
    
    # Gives full control
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
    $acl.SetAccessRule($rule)
    $acl |Set-Acl
    
    $acl = Get-Item $subfolder |Get-Acl
    # This adds full control to the subfolder
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
    $acl.SetAccessRule($rule)
    $acl |Set-Acl
    
    
    $acl = Get-Item $subsubfolder |Get-Acl
    # This adds full control to the sub sub folder
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
    $acl.SetAccessRule($rule)
    $acl |Set-Acl
    
    $acl = Get-Item $subsubsubfolder |Get-Acl
    # This adds full control to the sub sub subfolder
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
    $acl.SetAccessRule($rule)
    $acl |Set-Acl
    
    $acl = Get-Item $subsubsubsubfolder |Get-Acl
    # This adds full control to the sub sub sub subfolder
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
    $acl.SetAccessRule($rule)
    $acl |Set-Acl

    Thursday, May 1, 2014 1:20 PM

Answers

  • The constructor you are using for the FileSystemAccessRule will only apply to the object the ACE belongs to. To have it apply to anything else, you'll have to use the constructor with the following arguments:

    <Principal>, <Rights>, <InheritanceFlags>, <PropagationFlags>, <Type>

    The one you're using doesn't have the flags. Those two flags enumerations control two things that you'll see in the GUI: 'Applies To' and 'Only Applies to this Object'. To have the ACE apply to the folder, subfolders and files (and have it not show as 'Special' in the GUI), you'll want the InheritanceFlags as 'ContainerInherit, ObjectInherit' and the PropagationFlags as 'None'. Try this:

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

    On a side note, check this module out. It greatly simplifies access control. If you're interested in it and have any questions, let me know.
    • Marked as answer by KillahHerb Thursday, May 1, 2014 6:39 PM
    Thursday, May 1, 2014 1:58 PM

All replies

  • That is the way it works.  It is getting full control but other permissions are being inherited,  With Full Control this is not really important. 

    THe big question is, "Does it work?"


    ¯\_(ツ)_/¯

    Thursday, May 1, 2014 1:45 PM
  • The constructor you are using for the FileSystemAccessRule will only apply to the object the ACE belongs to. To have it apply to anything else, you'll have to use the constructor with the following arguments:

    <Principal>, <Rights>, <InheritanceFlags>, <PropagationFlags>, <Type>

    The one you're using doesn't have the flags. Those two flags enumerations control two things that you'll see in the GUI: 'Applies To' and 'Only Applies to this Object'. To have the ACE apply to the folder, subfolders and files (and have it not show as 'Special' in the GUI), you'll want the InheritanceFlags as 'ContainerInherit, ObjectInherit' and the PropagationFlags as 'None'. Try this:

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

    On a side note, check this module out. It greatly simplifies access control. If you're interested in it and have any questions, let me know.
    • Marked as answer by KillahHerb Thursday, May 1, 2014 6:39 PM
    Thursday, May 1, 2014 1:58 PM
  • Unfortunately this is what the path looks like so the flags are likely to cause conflicts:

    X:\Folder\Folder\*\SameName\*\*\*\*


    ¯\_(ツ)_/¯

    Thursday, May 1, 2014 2:12 PM
  • I see now that the  ContainerInherit, and ObjectInherit are the ones I was missing.

    Thank you Gentlemens you guys are the Gurus.

    Thursday, May 1, 2014 6:42 PM