Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Powershell script - set folder permissions

Posted on 2011-09-02
4
Medium Priority
?
1,817 Views
Last Modified: 2012-05-12
I have a Windows 2008 file server. I have the following share
D:\Folder1 > this folder is shared to domain users with "list folder contents only"
Reason: Directory structure inside Folder1 is company standard.

Inside D:\Folder1

\UserFolder1
\UserFolder2
\UserFolder3
.
.
.
\UserFolder200

Permissions to be set on each subfolder: disallow inheritable permissions from parent. Then set the modidy permission for each folder.


So i found this powershell script to do this. However i cant seem to understand what could be inside c:\folders.txt. i am thinking it could be some kind of permission statement

Also can you explain the foreach loop?

I am learning powershell now and i have had to refresh my mind scripting which i havent done in a long time.

Script:
===============================

for ($i=1;$i-le200;$i++)
{
New-Item ('c:\Folder1\UserFolder' + $i) -type directory
}

$Users = Get-Content 'C:\Folders.txt'

# grabs the ACL from the model folder created to duplicate acl to folders 1-200
$acl = Get-Acl ('C:\Folder1\Model')

ForEach ($user in $users)
{
      $newPath = Join-Path "C:\Folder1\" -childpath $user
      $acl | Set-Acl $newPath
}
0
Comment
Question by:lurezero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 8

Expert Comment

by:brittonv
ID: 36473527
for each item in folders.txt it will store it as $user and use it in each pass

so if folders.txt contained:
apples
oranges

the first time in the foreach loop
$users will be apples
second time $users will be oranges
...
0
 

Author Comment

by:lurezero
ID: 36473717
so i am guessing the folders.txt contains a list of users? or group?

what would be the syntax?
0
 
LVL 16

Expert Comment

by:Bryan Butler
ID: 36474176
Yes.  List of users login IDs.  Just one per line:

User1ID
User2ID
etc...
0
 
LVL 16

Accepted Solution

by:
Dale Harris earned 2000 total points
ID: 36474267
The script you pulled up is to create a special list of folders based on users, so the place where it says "Home Directory" in AD, is where their home folder would be.

Example:

John.smith has a user account.

In the shared drive, it creates a folder for him called john.smith and applies permissions for him.

That's not what you're looking for.

You're going to want a "model" folder set up the way you want and pull the ACL from there and apply it to the subsequent folders.

Example:

I have a folder in my C:\ called Test.  Here's the gci -recurse of that folder:

PS C:\test> gci -recurse


    Directory: C:\test


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          9/2/2011   9:51 AM            ExampleFolder
d----          9/2/2011   9:50 AM            model


    Directory: C:\test\ExampleFolder


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          9/2/2011   9:51 AM            ExampleFolder1
d----          9/2/2011   9:51 AM            NewExample
d----          9/2/2011   9:51 AM            _2


    Directory: C:\test\ExampleFolder\_2


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          9/2/2011   9:51 AM            ExampleFolder1
d----          9/2/2011   9:51 AM            _2NewExample

You can see there are multiple folders within folders (no files).

We are going to do our first command against the "model" folder, or the folder that I've set to not receive inheritable permissions.  You can also set up permissions on that model folder for people like "domain admin" "users" "company 1 users" "company 2 users", etc so that it will make a mirror on all the folders in a given directory.  If you want to make sure you do only folders, we can do that too.

The other folders I've confirmed already have inheritable permissions set as true.

$ACL = get-acl "c:\test\model"

#Now we are going to set this ACL example we have on all the subsequent files and folders

gci -recurse c:\Test\ExampleFolder | %{set-acl -aclobject $ACL $_.fullname}
#If you want to apply only to folders, do this instead
gci -recurse c:\Test\ExampleFolder | ?{$_.psiscontainer} |%{set-acl -aclobject $ACL $_.fullname}

Now when I go to each folder, the permissions have changed only slightly.  Now they are not inheriting permissions and anything on the "model" folder has been overwritten to the permissions of the folder.

Warning: tested on a Windows 7 box, not on a Windows Server 2008 environment.  Please test this out first on a test environment, don't mess with production.

HTH,

Dale Harris
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question