asked on

Powershell Add Group deny

Can anyone point me to a powershell script that I can use to add a domain group to the ACL of a network folder. The goal is to add a write deny to this group to any network folder?

Thanks,
Delmiro

Member_2_3654191

You are right, Powershell is a really cool and useful "tool". But sometimes things can be done more easily maybe. Have a look at this:

http://helgeklein.com/

And enjoy!

Hope this helps.

Chris Dent

Hey,

It goes something like this.

$Acl = Get-Acl "The Path"

$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
  "YOUR_DOMAIN\A_GROUP",
  "Write", 
  "ObjectInherit, ContainerInherit",
  "None", 
  "Deny")
$Acl.AddAccessRule($AccessRule)

Set-Acl "The Path" -AclObject $Acl

Open in new window

Chris

Delmiroc

ASKER

Thanks, I will give the tool a try.

On the powershell script, what if I have a large tree of folders and I don't want to change any of the already existing ntfs permissions on these folders. I just want to add a new group the deny write permissions across multiple folders without overiding anything.

Chris Dent

The snippet above only adds, it doesn't modify or remove entries from the ACL.

I set the value above so it was inherited by files and folders beneath the directory, that behaviour can be changed as required.

Chris

Delmiroc

ASKER

one more question, what if a directory underneath the main path is set not to inherite permissions from the folders above. I don't want to miss those. What can we add?

Chris Dent

That's more complex, you'd have to plough through the directory tree, checking for those.

How deep does it go? If there's one thing PS is bad at, it's dealing with paths longer than 256 characters. Are we likely to bump into those?

Chris

Delmiroc

ASKER

Probably not. what do you suggest?

ASKER CERTIFIED SOLUTION

Chris Dent

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Delmiroc

ASKER

Thanks