Solved

Powershell Add Group deny

Posted on 2011-09-28
9
720 Views
Last Modified: 2012-05-12
Can anyone point me to a powershell script that I can use to add a domain group to the ACL of a network folder. The goal is to add a write deny to this group to any network folder?



Thanks,
Delmiro
0
Comment
Question by:Delmiroc
  • 4
  • 4
9 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36813733
You are right, Powershell is a really cool and useful "tool". But sometimes things can be done more easily maybe. Have a look at this:

http://helgeklein.com/

And enjoy!

Hope this helps.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36813740
Hey,

It goes something like this.
$Acl = Get-Acl "The Path"

$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
  "YOUR_DOMAIN\A_GROUP",
  "Write", 
  "ObjectInherit, ContainerInherit",
  "None", 
  "Deny")
$Acl.AddAccessRule($AccessRule)

Set-Acl "The Path" -AclObject $Acl

Open in new window

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814113
Thanks, I will give the tool a try.


On the powershell script, what if I have a large tree of folders and I don't want to change any of the already existing ntfs permissions on these folders. I just want to add a new group the deny write permissions across multiple folders without overiding anything.

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36814119
The snippet above only adds, it doesn't modify or remove entries from the ACL.

I set the value above so it was inherited by files and folders beneath the directory, that behaviour can be changed as required.

Chris
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:Delmiroc
ID: 36814159
one more question, what if a directory underneath the main path is set not to inherite permissions from the folders above. I don't want to miss those. What can we add?  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36814166
That's more complex, you'd have to plough through the directory tree, checking for those.

How deep does it go? If there's one thing PS is bad at, it's dealing with paths longer than 256 characters. Are we likely to bump into those?

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814176
Probably not. what do you suggest?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 36814452
I would go with something like this. It should work, but should be tested against something small first :)

Chris
Function Add-DenyRule {
  [CmdLetBinding()]
  Param(
    [Parameter(Mandatory = $True)]
    [String]$Group,
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
    [String]$FullName
  )

  Process {
    $Acl = Get-Acl $FullName

    $AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
      $Group,
      "Write", 
      "ObjectInherit, ContainerInherit",
      "None", 
      "Deny")

    $Acl.AddAccessRule($AccessRule)

    Set-Acl $FullName -AclObject $Acl
  }
}

# This must be set
$Group = "YOUR_DOMAIN\GROUP"

# Loop through all of the directories within YourBaseDirectory
Get-ChildItem YourBaseDirectory | Where-Object { $_.PsIsContainer } | ForEach-Object {

  # Add the deny rule here
  $_ | Add-DenyRule -Group $Group

  # Find any folders within the tree that don't inherit, and apply the rule there as well
  Get-ChildItem $_.FullName -Recurse | 
    Where-Object { $_.PsIsContainer -And (Get-Acl $_.FullName).AreAccessRulesProtected } |
    Add-DenyRule -Group $Group
}

Open in new window

0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 36814488
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PowerShell - Exporting AD User Group Membership 6 44
Powershell Microsoft Licensing Audit 6 21
exchange, outlook 2 26
Nano server Question 2 17
Set OWA language and time zone in Exchange for individuals, all users or per database.
A brief introduction to what I consider to be the best editor for PowerShell.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now