?
Solved

modify powershell script to not inherit ntfs permission from parent

Posted on 2016-08-24
11
Medium Priority
?
133 Views
Last Modified: 2016-09-06
hello,

have this script to create folder and applicate ntfs permission.
i need to modify this script to take the new folder not inherit from parent folder the ntfs permission.

thanks for help

#$path = "\\localhost\Share\"
$csvFile = "C:\Users\Administrator\Desktop\create.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level)
    $toAdd = $permissionGroup -split ";"
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ContainerInherit,ObjectInherit','None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {New-Item -ItemType Directory -Path $fullPath}

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
    if ($folder.read) {DoPermissions $folder.read $fullPath "ReadData"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

0
Comment
Question by:cawasaki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 

Author Comment

by:cawasaki
ID: 41769900
i have missed the csv file i use to create the folder and permission:

folder,full_control,modify,read_execute,List_folder_content,read,write
\\localhost\Share\folder1,group1;group2...........................
\\localhost\Share\folder1\test,group1;group2...........................
\\localhost\Share\folder2,group1;group2...........................
\\localhost\Share\folder2\test,group1;group2...........................
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41770446
This will create the folders with inheritance turned off.

#$path = "\\localhost\Share\"
$csvFile = "C:\Users\Administrator\Desktop\create.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level)
    $toAdd = $permissionGroup -split ";"
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'None','None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
    New-Item -ItemType Directory -Path $fullPath
    $fAcl = Get-Acl -Path $fullPath
    $fAcl.SetAccessRuleProtection($true, $true)
    Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
    if ($folder.read) {DoPermissions $folder.read $fullPath "ReadData"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

0
 

Author Comment

by:cawasaki
ID: 41771479
hello Dustin,

it seems to work very good :).

i have a question, why for exemple when the script apply a total control right for a group or user, we cannot see on security part the control total right, but we need to go to advanced (special permissions is checked)

look the picture

experts.png
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41772020
That's just cosmetic.  Setting it without inheritance flags corresponds to those checkboxes in the GUI.

Use this script instead though, I misread your original post and the one above will disable subobjects from inheriting which I think was not the intent:
#$path = "\\localhost\Share\"
$csvFile = "C:\Users\Administrator\Desktop\create.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level)
    $toAdd = $permissionGroup -split ";"
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ObjectInherit','None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
    New-Item -ItemType Directory -Path $fullPath
    $fAcl = Get-Acl -Path $fullPath
    $fAcl.SetAccessRuleProtection($true, $true)
    Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
    if ($folder.read) {DoPermissions $folder.read $fullPath "ReadData"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

0
 

Author Comment

by:cawasaki
ID: 41772102
Hello

Hum ok

What are this new version of script? The other one work well when it create the folder it not inherit from parent??

Do you mean for subfilder i will create on the future manually ???
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41772116
It was set to not share inheritance, so objects in the folder wouldn't get the permissions.  I believe you just wanted the root level folders you create to be un-inherited- but new items inside get the permissions you set, which the second script does.
0
 

Author Comment

by:cawasaki
ID: 41774400
hello,

i just see other problem:

the permission created by script is only applicated on "this folder" and i need it for this folder, sub folder and files".

some permission is good and other is only applicated on this folder only, do you now why?

this is what i need finally:
all permission need to be applicated by default  for folder, sub folder and files, but i need the possibility to set the permission to only this folder for some user or groups, possible?
0
 

Author Comment

by:cawasaki
ID: 41776056
hello Dustin

are you here :) ?
0
 

Author Comment

by:cawasaki
ID: 41778326
hello Dustin

can you help ?

thank you
0
 
LVL 13

Accepted Solution

by:
Dustin Saunders earned 2000 total points
ID: 41778822
Sometimes I may be traveling for work and not able to write code, but give this a try.

function DoPermissions
{
    param( $permissionGroup, $folder, $level)
    $toAdd = $permissionGroup -split ";"
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ContainerInherit,ObjectInherit','None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
    New-Item -ItemType Directory -Path $fullPath
    $fAcl = Get-Acl -Path $fullPath
    $fAcl.SetAccessRuleProtection($true, $true)
    Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
    if ($folder.read) {DoPermissions $folder.read $fullPath "ReadData"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

0
 

Author Comment

by:cawasaki
ID: 41779850
hello,

thank you Dustin, il will test this but normally i need to do a change in csv file???

folder,full_control,modify,read_execute,List_folder_content,read,write
\\localhost\Share\folder1,group1;group2...........................
\\localhost\Share\folder1\test,group1;group2...........................
......
 and just remember my need:

this is what i need finally:
all permission need to be applicated by default  for folder, sub folder and files, but i need the possibility to set the permission to only this folder for some user or groups, possible?

thnak you
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question