Powershell Script request: remove folder security inheritance

Ben Hart
Ben Hart used Ask the Experts™
on
"users" folder on specific server share.  Random number of folders setup incorrectly up to two years ago, searching row by row too time consuming for 500+ users so I'm looking for a script that still stop inheritance and manually change a couple of the security entries.

Namely removing inheritance, adding the folders owner with full control (if they do not already exist), also removing "Authenticated Users" and/or "jak-2k3-mss/users" if they exist.

So folder named "Bsmith" current Security tab:

Administrators - Full
Authenticate Users - Modify
Domain Admins - Full
Backup Exec - Full
System - Full
Users - Modify

Changed to:

Administrator - Full
Domain Admins - Full
Backup Exec - Full
System - Full
Bsmith - Full (bsmith is also the folder name per login script if that helps)

The login script right now checks for the existence of a folder that matches the username, if none it creates one.

The folder creation part of the login script:
Sub CheckForUserFolder(UserName)
On Error Resume Next
Dim ObjFSO
Set ObjFSO = CreateObject("Scripting.FileSystemObject")
	If Not(ObjFSO.FolderExists("\\jak-2k3-mss\users\" & UserName)) Then 
		Set newfolder = ObjFSO.CreateFolder("\\jak-2k3-mss\Users\" & UserName)
	End If
End Sub

Open in new window


I include that in case I've got something wrong or if there's a variable I can add that will add the user with full control during creation time.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
This is my prototype. It actually does not do its job selectively, because examining the current ACEs and comparing them to the required ones is not very easy, so it just removes all current ACEs and replaces them with the desired ones.
Update you domainname in the first row and try it in a non-production environment.
$domainname = "yourdomain"

dir \\jak-2k3-mss\Users\ | ?{$_.psiscontainer} | %{
    $dir = $_
    $dir | Get-Acl | %{
        $acl = $_
        if(!$acl.areaccessrulesprotected){
            $acl.setaccessruleprotection($true,$true)
            Set-Acl -Path $acl.path -AclObject $acl
        } 
        $entry =@()       
        $user = "$domainname\$($dir.name)"    
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    		"BUILTIN\Administrators",
		  "FullControl",
    		"ContainerInherit,ObjectInherit",
		  "None",
		  "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    		"$domainname\Domain Admins",
		  "FullControl",
    		"ContainerInherit,ObjectInherit",
		  "None",
		  "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    		"$domainname\Backup Exec",
		  "FullControl",
		  "ContainerInherit,ObjectInherit",
		  "None",
		  "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    		"NT AUTHORITY\SYSTEM",
		  "FullControl",
		  "ContainerInherit,ObjectInherit",
		  "None",
		  "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    		"$domainname\$($dir.name)",
		  "FullControl",
		"ContainerInherit,ObjectInherit",
		  "None",
		  "Allow"
        )      
        $acl.access | %{$acl.RemoveAccessRuleSpecific($_)}
        $entry | %{$acl.AddAccessRule($_)}
    }
    set-acl -Path $acl.path -AclObject $acl
}

Open in new window

Chris DentPowerShell Developer
Top Expert 2010

Commented:
I forgot to post earlier. But I suggest you set up a template ACL and apply that. Then you only have to add the individual's right.

Chris

Author

Commented:
Thanks alot Chris and soostibi..
Chris; You kinda lost me on a template ACL.  I remember those from the Win2k days but they were system security template.  Not sure how to go about creating and using one with regards to shared folders.
Soostibi, thanks Im about to setup some testing folders and give your script a whirl.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial