Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 764
  • Last Modified:

powershell ftp directory creation

I have a powershell script that creates a directory based on input from the user.  The begining of the script uses a raed-host to assign a directory name to "$AccountName".  this is the portion of the code that I am using to assign permissions to the dreated directory,
#       ---Set Permissions on Folder
 
"Setting Permissions on E:\SecureFtpSite\Support\$AccountName"
 
$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagate = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$User = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $colRights , $Inherit, $Propagate, $objType)

$objACL = Get-Acl "E:\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule($objACE)
 
Set-Acl "E:\SecureFtpSite\Support\$AccountName" $objACL
 
Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"

here is my issue.  the created account is in the ftp users group for the site and every account created has permission to list in every directory created.  I would like to restrict created  accounts to only be able to view directories that are created for the specific account.  Here is the code in its entirity.  everything is working with the exception of the granular level of permissions I require.  Any help would be appreciated

### PowerShell Script
### Create local User Acount
 
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "MYFTPSERVER"
 
"Creating user on $Computer"
 
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
 
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description", $Description)
 
# Set Password
$objUser.SetPassword($Password)
 
# Save Changes
$objUser.SetInfo()
 
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password

$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
 
"User $AccountName created!"
" ------------------------"


 
#       ---Create FTP local directory---
 
"Creating directory E:\SecureFtpSite\Support\$AccountName"
 
New-Item E:\SecureFtpSite\Support\$AccountName -type directory  
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
 
 
#       ---Set Permissions on Folder
 
"Setting Permissions on E:\SecureFtpSite\Support\$AccountName"
 
$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagate = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$User = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $colRights , $Inherit, $Propagate, $objType)

$objACL = Get-Acl "E:\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule($objACE)
 
Set-Acl "E:\SecureFtpSite\Support\$AccountName" $objACL
 
Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"
" ------------------------"
 
#       ---Add User to FTP Users Local Group
 
"Adding User to FTP Users Group"
 
$group = [ADSI]"WinNT://$computer/FTP Users"
$group.add("WinNT://$computer/$AccountName")
 
"User Added!"
"-------------------------"


0
TonyElam
Asked:
TonyElam
  • 5
  • 3
1 Solution
 
Bryan ButlerCommented:
To be clear please confirm:

1. User creates directory with FTP
2. User can view the directory and all other directories
3. You want the user to only be able to view the directories she/he creates

Eh?  Or is there a "specific account" that has the folder access specified, and a given user can access only those folders?  
0
 
TonyElamAuthor Commented:
yes we want the user to only be able to view the dir he/she creates
0
 
Bryan ButlerCommented:
Is the "everyone group" is in the security settings for the created folders?  If so, try removing that.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
TonyElamAuthor Commented:
since we are assigning permissions by creating a specific user, and then assigning that user modify permission to the folder.  I need to remove the FTP Users group from the permission to the folder.
0
 
TonyElamAuthor Commented:
i was able to fix permissions with the following lines of code

icacls "E:\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "E:\SecureFtpSite\Support\$AccountName" /remove "FTP Users"
0
 
Bryan ButlerCommented:
BINGO!  good job - the points are yours.
0
 
TonyElamAuthor Commented:
thank you for you help in this matter.  Your responses were constructive and timely :)
0
 
TonyElamAuthor Commented:
the commands to set permissions were discovered by my own research
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now