modify powershell script i use to create folder and apply acl for user or group

hello,

i have this script to create folder and appky security acl for some active directory group.

i need to modify th script to apply this right for group or user listed on List_folder_content like this csv file:

folder,full_control,modify,read_execute,List_folder_content,read,write
\\server\folder1\folder2,DEF_Controle_Total;DEF_Service_Desk,DEF_Modification,,Domain Users,DEF_Lecture,
so for domain users, script must applicate this right:

acl
need to be applied to this folder only like picture.

this is my script and thanks for help

$csvFile = "D:\file.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level)
    $toAdd = $permissionGroup -split ";"
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ContainerInherit,ObjectInherit','None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
    New-Item -ItemType Directory -Path $fullPath
    $fAcl = Get-Acl -Path $fullPath
    $fAcl.SetAccessRuleProtection($true, $true)
    Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
    if ($folder.read) {DoPermissions $folder.read $fullPath "Read"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

cawasakiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Inheritence for (and propagation to) child objects is controlled by the 5th (and 7th) argument of System.Security.AccessControl.FileSystemAccessRule. All you have to do is to make sure 'ContainerInherit,ObjectInherit' is replaced by 'None' (which invalidates the 7th parameter, so we can leave that unchanged). To be able to provide that added option you'll have to change the input parameters of the DoPermission function.
$csvFile = "D:\file.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level, [switch] $NoInheritance)
    $toAdd = $permissionGroup -split ";"
    $InheritFlags = if ($NoInheritance) { 'None' } else { 'ContainerInherit,ObjectInherit' }
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, $InheritFlags,'None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
      New-Item -ItemType Directory -Path $fullPath
      $fAcl = Get-Acl -Path $fullPath
      $fAcl.SetAccessRuleProtection($true, $true)
      Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory" -NoInheritance}
    if ($folder.read) {DoPermissions $folder.read $fullPath "Read"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cawasakiAuthor Commented:
hello Qlemo,

first thanks for help

the Inheritence is ok thank you.

but i can not gest the good right to obtain like the picture: https://filedb.experts-exchange.com/incoming/2017/03_w11/1151330/acl.png
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
The picture shows exactly the same as your first one - what's wrong with that exactly?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

cawasakiAuthor Commented:
i dont now how i can obrain all this right,

i have test, to obtain right like picture, it need this right:
read
ExecuteFile
how i can applicate the 2 right to line 33?

line 33:

    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "read" -NoInheritance

Open in new window

0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
IIRC "ExecuteFile" is sufficient, as that implies to read the file. Otherwise, I think you can use a single string with combined privileges like "Read, ExecuteFile", but I'm not certain.
0
cawasakiAuthor Commented:
i need absolutly the 2 right or a solution to add them may be by use 2 line of code:

if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "read" -NoInheritance
if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "Executefile" -NoInheritance

when use this i think second command erase the first permission.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Yes, the second overwrites the first, because you use SetAccessRule, which replaces the ACL entry for the specific user if it exists already.
I've now tried my suggestion, and it works. You can use a set of privileges as a single string, "Read, ExecuteFile", when you call the function:
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "Read, ExecuteFile" -NoInheritance

Open in new window

0
cawasakiAuthor Commented:
yes its work
thank you Qlemo you are the best :)
0
cawasakiAuthor Commented:
thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.