Solved

Powershell Add Group deny

Posted on 2011-09-28
9
715 Views
Last Modified: 2012-05-12
Can anyone point me to a powershell script that I can use to add a domain group to the ACL of a network folder. The goal is to add a write deny to this group to any network folder?



Thanks,
Delmiro
0
Comment
Question by:Delmiroc
  • 4
  • 4
9 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36813733
You are right, Powershell is a really cool and useful "tool". But sometimes things can be done more easily maybe. Have a look at this:

http://helgeklein.com/

And enjoy!

Hope this helps.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36813740
Hey,

It goes something like this.
$Acl = Get-Acl "The Path"

$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
  "YOUR_DOMAIN\A_GROUP",
  "Write", 
  "ObjectInherit, ContainerInherit",
  "None", 
  "Deny")
$Acl.AddAccessRule($AccessRule)

Set-Acl "The Path" -AclObject $Acl

Open in new window

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814113
Thanks, I will give the tool a try.


On the powershell script, what if I have a large tree of folders and I don't want to change any of the already existing ntfs permissions on these folders. I just want to add a new group the deny write permissions across multiple folders without overiding anything.

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36814119
The snippet above only adds, it doesn't modify or remove entries from the ACL.

I set the value above so it was inherited by files and folders beneath the directory, that behaviour can be changed as required.

Chris
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Delmiroc
ID: 36814159
one more question, what if a directory underneath the main path is set not to inherite permissions from the folders above. I don't want to miss those. What can we add?  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36814166
That's more complex, you'd have to plough through the directory tree, checking for those.

How deep does it go? If there's one thing PS is bad at, it's dealing with paths longer than 256 characters. Are we likely to bump into those?

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814176
Probably not. what do you suggest?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 36814452
I would go with something like this. It should work, but should be tested against something small first :)

Chris
Function Add-DenyRule {
  [CmdLetBinding()]
  Param(
    [Parameter(Mandatory = $True)]
    [String]$Group,
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
    [String]$FullName
  )

  Process {
    $Acl = Get-Acl $FullName

    $AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
      $Group,
      "Write", 
      "ObjectInherit, ContainerInherit",
      "None", 
      "Deny")

    $Acl.AddAccessRule($AccessRule)

    Set-Acl $FullName -AclObject $Acl
  }
}

# This must be set
$Group = "YOUR_DOMAIN\GROUP"

# Loop through all of the directories within YourBaseDirectory
Get-ChildItem YourBaseDirectory | Where-Object { $_.PsIsContainer } | ForEach-Object {

  # Add the deny rule here
  $_ | Add-DenyRule -Group $Group

  # Find any folders within the tree that don't inherit, and apply the rule there as well
  Get-ChildItem $_.FullName -Recurse | 
    Where-Object { $_.PsIsContainer -And (Get-Acl $_.FullName).AreAccessRulesProtected } |
    Add-DenyRule -Group $Group
}

Open in new window

0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 36814488
Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now