?
Solved

Powershell Add Group deny

Posted on 2011-09-28
9
Medium Priority
?
744 Views
Last Modified: 2012-05-12
Can anyone point me to a powershell script that I can use to add a domain group to the ACL of a network folder. The goal is to add a write deny to this group to any network folder?



Thanks,
Delmiro
0
Comment
Question by:Delmiroc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36813733
You are right, Powershell is a really cool and useful "tool". But sometimes things can be done more easily maybe. Have a look at this:

http://helgeklein.com/

And enjoy!

Hope this helps.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 36813740
Hey,

It goes something like this.
$Acl = Get-Acl "The Path"

$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
  "YOUR_DOMAIN\A_GROUP",
  "Write", 
  "ObjectInherit, ContainerInherit",
  "None", 
  "Deny")
$Acl.AddAccessRule($AccessRule)

Set-Acl "The Path" -AclObject $Acl

Open in new window

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814113
Thanks, I will give the tool a try.


On the powershell script, what if I have a large tree of folders and I don't want to change any of the already existing ntfs permissions on these folders. I just want to add a new group the deny write permissions across multiple folders without overiding anything.

0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 36814119
The snippet above only adds, it doesn't modify or remove entries from the ACL.

I set the value above so it was inherited by files and folders beneath the directory, that behaviour can be changed as required.

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814159
one more question, what if a directory underneath the main path is set not to inherite permissions from the folders above. I don't want to miss those. What can we add?  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 36814166
That's more complex, you'd have to plough through the directory tree, checking for those.

How deep does it go? If there's one thing PS is bad at, it's dealing with paths longer than 256 characters. Are we likely to bump into those?

Chris
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36814176
Probably not. what do you suggest?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 36814452
I would go with something like this. It should work, but should be tested against something small first :)

Chris
Function Add-DenyRule {
  [CmdLetBinding()]
  Param(
    [Parameter(Mandatory = $True)]
    [String]$Group,
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
    [String]$FullName
  )

  Process {
    $Acl = Get-Acl $FullName

    $AccessRule = New-Object Security.AccessControl.FileSystemAccessRule(
      $Group,
      "Write", 
      "ObjectInherit, ContainerInherit",
      "None", 
      "Deny")

    $Acl.AddAccessRule($AccessRule)

    Set-Acl $FullName -AclObject $Acl
  }
}

# This must be set
$Group = "YOUR_DOMAIN\GROUP"

# Loop through all of the directories within YourBaseDirectory
Get-ChildItem YourBaseDirectory | Where-Object { $_.PsIsContainer } | ForEach-Object {

  # Add the deny rule here
  $_ | Add-DenyRule -Group $Group

  # Find any folders within the tree that don't inherit, and apply the rule there as well
  Get-ChildItem $_.FullName -Recurse | 
    Where-Object { $_.PsIsContainer -And (Get-Acl $_.FullName).AreAccessRulesProtected } |
    Add-DenyRule -Group $Group
}

Open in new window

0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 36814488
Thanks
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help you understand what HashTables are and how to use them in PowerShell.
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question