Solved

Powershell Add Group deny

Posted on 2011-09-28
9
728 Views
Last Modified: 2012-05-12
Can anyone point me to a powershell script that I can use to add a domain group to the ACL of a network folder. The goal is to add a write deny to this group to any network folder?



Thanks,
Delmiro
0
Comment
Question by:Delmiroc
  • 4
  • 4
9 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36813733
You are right, Powershell is a really cool and useful "tool". But sometimes things can be done more easily maybe. Have a look at this:

http://helgeklein.com/

And enjoy!

Hope this helps.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36813740
Hey,

It goes something like this.
$Acl = Get-Acl "The Path"

$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
  "YOUR_DOMAIN\A_GROUP",
  "Write", 
  "ObjectInherit, ContainerInherit",
  "None", 
  "Deny")
$Acl.AddAccessRule($AccessRule)

Set-Acl "The Path" -AclObject $Acl

Open in new window

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814113
Thanks, I will give the tool a try.


On the powershell script, what if I have a large tree of folders and I don't want to change any of the already existing ntfs permissions on these folders. I just want to add a new group the deny write permissions across multiple folders without overiding anything.

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 36814119
The snippet above only adds, it doesn't modify or remove entries from the ACL.

I set the value above so it was inherited by files and folders beneath the directory, that behaviour can be changed as required.

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814159
one more question, what if a directory underneath the main path is set not to inherite permissions from the folders above. I don't want to miss those. What can we add?  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36814166
That's more complex, you'd have to plough through the directory tree, checking for those.

How deep does it go? If there's one thing PS is bad at, it's dealing with paths longer than 256 characters. Are we likely to bump into those?

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814176
Probably not. what do you suggest?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 36814452
I would go with something like this. It should work, but should be tested against something small first :)

Chris
Function Add-DenyRule {
  [CmdLetBinding()]
  Param(
    [Parameter(Mandatory = $True)]
    [String]$Group,
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
    [String]$FullName
  )

  Process {
    $Acl = Get-Acl $FullName

    $AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
      $Group,
      "Write", 
      "ObjectInherit, ContainerInherit",
      "None", 
      "Deny")

    $Acl.AddAccessRule($AccessRule)

    Set-Acl $FullName -AclObject $Acl
  }
}

# This must be set
$Group = "YOUR_DOMAIN\GROUP"

# Loop through all of the directories within YourBaseDirectory
Get-ChildItem YourBaseDirectory | Where-Object { $_.PsIsContainer } | ForEach-Object {

  # Add the deny rule here
  $_ | Add-DenyRule -Group $Group

  # Find any folders within the tree that don't inherit, and apply the rule there as well
  Get-ChildItem $_.FullName -Recurse | 
    Where-Object { $_.PsIsContainer -And (Get-Acl $_.FullName).AreAccessRulesProtected } |
    Add-DenyRule -Group $Group
}

Open in new window

0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 36814488
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question