locked
File and Folder Ownership and Permissions RRS feed

  • Question

  • I know this has been adddressed in another forum post. I got a Powershell script that works amazing for setting the Owner and adding permissions for a group to a folder and all subfolders. But I need it to do files as well. Any help would be amazing. I will post the script in the comments. It is large so I may have to split it in two parts.

    -Jason

    Tuesday, October 8, 2019 1:56 PM

All replies

  • Part One of the script:

    $RootFolder = 'D:\one'
    $AdminGroup1 = 'PSY-NAS-Admins'
    $AdminGroup2 = 'PSY-NAS-Storage'
    $TotalModified = 0
    $ActiveCount = 0
    $TimeStamp = Get-Date -Format yyy-mm-dd-hhmm
    $LogName = "$TimeStamp.txt"
    
    #Create empty object to hold all working folders
    $ActiveFolders = New-Object System.Collections.ArrayList
    
    #Functions
    #region Functions
    function Set-Folders {
    	[CmdletBinding()]
    	param ([Parameter(Mandatory = $True, ValueFromPipeline = $True)]
    		[string[]]$FolderLocation)
    	begin { }
    	process {
    		$LocatedFolders = (Get-ChildItem -Path $FolderLocation -Directory -Recurse -ErrorAction SilentlyContinue).FullName
    		$LocatedFolders.Count | Out-File -FilePath $LogName -Append
    		foreach ($Folder in $LocatedFolders) {
    			if ($ActiveFolders -notcontains $Folder) { $ActiveFolders.Add($Folder) | Out-Null }
    		}
    	}
    }
    function Set-Permissions {
    	[CmdletBinding()]
    	param ([Parameter(Mandatory = $True, ValueFromPipeline = $True)]
    		[string[]]$BadFolder)
    	begin { }
    	process {
    		&takeown /F $BadFolder | Out-Null
    		$ACL = Get-Acl $BadFolder
    		$ACL_Rule = new-object System.Security.AccessControl.FileSystemAccessRule ($AdminGroup1, "FullControl", "Allow")
    		$ACL.SetAccessRule($ACL_Rule)
    		$ACL_Rule = new-object System.Security.AccessControl.FileSystemAccessRule ($AdminGroup2, "FullControl", "Allow")
    		$ACL.SetAccessRule($ACL_Rule)
    		Set-Acl -Path $BadFolder -AclObject $ACL | Out-Null
    	}
    }
    #endregion Functions

    Tuesday, October 8, 2019 1:58 PM
  • Part Two of the script:

    #Populate first round of folders to array
    Set-Folders -FolderLocation $RootFolder
    
    #Begin the dirty
    for ($i = $ActiveFolders.Count; $i -ge 0; $i--) {
    	$MyFolder = $ActiveFolders | Select-Object -first 1
    	#If current array value is not blank
    	if ($MyFolder -ne $null) {
    		#Append current folder to log
    		$MyFolder | Out-File -FilePath $LogName -Append
    		#Take ownership & set permissions
    		Set-Permissions -BadFolder $MyFolder
    		#Find folders within after updating permissions
    		Set-Folders -FolderLocation $MyFolder
    		#Remove folder from array
    		$ActiveFolders.Remove($MyFolder)
    		#Up count of modified folders
    		$TotalModified++
    		#Update progress bar
    		Write-Progress -Activity "Current Folder Count: $i  Total Modified: $TotalModified" -Status $MyFolder -PercentComplete (100)
    		$i = $ActiveFolders.Count
    	}
    }
    Write-Host "Processed $TotalModified folders.  Operation complete." -ForegroundColor Red -BackgroundColor Green

    Tuesday, October 8, 2019 1:58 PM
  • Do you need to maintain existing permissions? If not, you don't need a script. These commands will reset the inheritance on all files and folders.

    $badfolder="C:\test"
    takeown /d Y /a /r /f $badfolder
    icacls $badfolder /reset /t 
    icacls $badfolder /verify /t 
    

    Tuesday, October 8, 2019 2:21 PM
  • Yes, I do need to maintain the current existing permissions.
    Tuesday, October 8, 2019 2:37 PM
  • The ACL that you are adding is for "This folder only". 

    The simplest solution is to set it to "This folder and files"

    $ACL_Rule = new-object System.Security.AccessControl.FileSystemAccessRule ($AdminGroup1, "FullControl",”ObjectInherit”,”None”,”Allow”)
    		
      

    If someone has uninhertited the folder permissions from a specific file, then that would not apply and you would need a "bigger" solution.

    Now this is a matter of personal preference, but if I was writing this script, I would do it differently. (Sorry.) You are running a takeown on every folder even though you may not need to. And you are adding an ACL that is not inherited by subfolders. You are not checking to see if the groups already have access.

    I think that it would be better to recursively navigate the folders and only run takeown on the subfolders that you can't access. And add the ACL's as inherited so that they apply to all subfolders that inherit permissions from the parent. That method should run a lot faster.

    $ACL_Rule = new-object System.Security.AccessControl.FileSystemAccessRule ($account, "FullControl",”ContainerInherit,ObjectInherit”,”None”,”Allow”)

      


    Tuesday, October 8, 2019 4:48 PM