[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Powershell Add Group deny

Posted on 2011-09-28
9
Medium Priority
?
751 Views
Last Modified: 2012-05-12
Can anyone point me to a powershell script that I can use to add a domain group to the ACL of a network folder. The goal is to add a write deny to this group to any network folder?



Thanks,
Delmiro
0
Comment
Question by:Delmiroc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36813733
You are right, Powershell is a really cool and useful "tool". But sometimes things can be done more easily maybe. Have a look at this:

http://helgeklein.com/

And enjoy!

Hope this helps.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 36813740
Hey,

It goes something like this.
$Acl = Get-Acl "The Path"

$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
  "YOUR_DOMAIN\A_GROUP",
  "Write", 
  "ObjectInherit, ContainerInherit",
  "None", 
  "Deny")
$Acl.AddAccessRule($AccessRule)

Set-Acl "The Path" -AclObject $Acl

Open in new window

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814113
Thanks, I will give the tool a try.


On the powershell script, what if I have a large tree of folders and I don't want to change any of the already existing ntfs permissions on these folders. I just want to add a new group the deny write permissions across multiple folders without overiding anything.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 36814119
The snippet above only adds, it doesn't modify or remove entries from the ACL.

I set the value above so it was inherited by files and folders beneath the directory, that behaviour can be changed as required.

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814159
one more question, what if a directory underneath the main path is set not to inherite permissions from the folders above. I don't want to miss those. What can we add?  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 36814166
That's more complex, you'd have to plough through the directory tree, checking for those.

How deep does it go? If there's one thing PS is bad at, it's dealing with paths longer than 256 characters. Are we likely to bump into those?

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814176
Probably not. what do you suggest?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 36814452
I would go with something like this. It should work, but should be tested against something small first :)

Chris
Function Add-DenyRule {
  [CmdLetBinding()]
  Param(
    [Parameter(Mandatory = $True)]
    [String]$Group,
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
    [String]$FullName
  )

  Process {
    $Acl = Get-Acl $FullName

    $AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
      $Group,
      "Write", 
      "ObjectInherit, ContainerInherit",
      "None", 
      "Deny")

    $Acl.AddAccessRule($AccessRule)

    Set-Acl $FullName -AclObject $Acl
  }
}

# This must be set
$Group = "YOUR_DOMAIN\GROUP"

# Loop through all of the directories within YourBaseDirectory
Get-ChildItem YourBaseDirectory | Where-Object { $_.PsIsContainer } | ForEach-Object {

  # Add the deny rule here
  $_ | Add-DenyRule -Group $Group

  # Find any folders within the tree that don't inherit, and apply the rule there as well
  Get-ChildItem $_.FullName -Recurse | 
    Where-Object { $_.PsIsContainer -And (Get-Acl $_.FullName).AreAccessRulesProtected } |
    Add-DenyRule -Group $Group
}

Open in new window

0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 36814488
Thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question