• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1030
  • Last Modified:

How do I set two NTFS permission types on a folder for one user with powershell

Hi All,
I am working on scripting the creation of folders and permissions and have a little problem with one of the permissions sets.

I want to add the following permissions:
Read on this folder, subfolders, and files
Read & Execute on this folder, and subfolders

This is so users can navigate the folders and read files, but that's it, no execution on files to be allowed as I have a seperate group for that.

Powershell script below:
function SetAcl ([string]$Path, [string]$user, [string]$permission) {

	# Get ACL on Folder

	$GetACL = Get-Acl $Path

	# Set up AccessRule

	$Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
	$Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"
	$accessRule = New-Object system.security.AccessControl.FileSystemAccessRule($user, $permission, $AllInherit, $Allpropagation, "Allow")
    

	# if Access Already Exists

	if ($GetACL.Access | Where { $_.IdentityReference -eq $user}) {

		Write-Host "Modifying Permissions For: $user"

		$accessModification = New-Object system.security.AccessControl.AccessControlModification
		$accessModification.value__ = 2
		$Modification = $False
		$GetACL.ModifyAccessRule($accessModification, $accessRule, [ref]$Modification) | Out-Null
	} else {

		Write-Host "Adding Permission: $permission For: $user"

		$GetACL.AddAccessRule($accessRule)
	}

	Set-Acl -aclobject $GetACL -Path $Path

	Write-Host "Permission: $permission Set For: $user"
}

Open in new window


I can create these two permissions on their own, but If i use this script to create the second, it deletes the first one. I think it's because the user is the same, and the code is just setting a new Access rule for this user, but I don't know how to do it (as I'm very new to powershell). Ideally I'd like to edit the script so I can add both permissions at the same time.

Can anyone point me in the right direction?
0
bankhall
Asked:
bankhall
  • 6
  • 4
1 Solution
 
bankhallAuthor Commented:
extra info, to do the two permission at the moment I'm first adding the Read permission using this script, and then running it again with the readandexecute permission but changing the following line:
$Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
to:
$Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit"

running the modified script is what is overwriting the first one, so I'd ideally like to sort that out, and also put it in one script.
0
 
Chris DentPowerShell DeveloperCommented:
Hey there,

It's because you're using ModifyAccessRule and matching only on the user. If you need two distinct rules you want AddAccessRule, regardless of whether an entry for the user exists or not.

Chris
0
 
bankhallAuthor Commented:
Will update ASAP after I've tried this. Any code snippets would be appreciated as I've a beginner on all this!
Cheers
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Chris DentPowerShell DeveloperCommented:
I guess it boils down to understanding what you expect to happen.

The first time it runs, does it need to replace an existing right?

Chris
0
 
bankhallAuthor Commented:
no it won't for the process I'm using it for at the moment, it's purely creating new permissions.
0
 
Chris DentPowerShell DeveloperCommented:
In theory we can make it nice and short then:
Function SetAcl ([string]$Path, [string]$user, [string]$permission) {

  # Get ACL on Folder

  $GetACL = Get-Acl $Path

  # Set up AccessRule

  $AllInherit = "ContainerInherit, ObjectInherit"
  $AllPropagation = "None"

  $AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
    $User, $Permission, $AllInherit, $AllPropagation, "Allow")
    
  $GetACL.AddAccessRule($AccessRule)

  Set-Acl -AclObject $GetACL -Path $Path

  Write-Host "Permission: $permission Set For: $user"
}

Open in new window

Chris
0
 
bankhallAuthor Commented:
so what would I need to do if I wanted to add another permission for that user on the same folder, and keep the first one? or could they both be set at the same time? Can I do that if I want to set only ContainerInherit and not ObjectInjerit on the second permission?
0
 
bankhallAuthor Commented:
Ahhh wait I see now, you just do the above twice, adding two seperate access rules to the ACL. I was caught up thinking that if you simply add another rule it would wipe out the first but I've duplicated the code above, changed the permission and the inheritance and successfully created both permissions for the same user in one go.

Many thanks for the assistance!
0
 
Chris DentPowerShell DeveloperCommented:
For this bit:

> Can I do that if I want to set only ContainerInherit and not ObjectInjerit on the second permission?

You need a bit more flexibility in the function really. We could set that as a parameter with a default value of both ObjectInherit and ContainerInherit though?

Chris
0
 
bankhallAuthor Commented:
Well at the moment I've just duplicated the code, changing the inheritance and using a new variable for the other permission I want. I guess that's a bit bloated though.... although you still have to create a new inheritance variable, and therefore a new access rule with the new permission set, then add the two access rules before setting the ACL again. My code just repeats a few things unnecessarily... but it works which I'm happy about. :)

Interested in how you'd suggest cleaning it up and making it easier though. might help someone else too.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now