modify powershell script i use to create folder and apply acl for user or group

cawasaki
cawasaki used Ask the Experts™
on
hello,

i have this script to create folder and appky security acl for some active directory group.

i need to modify th script to apply this right for group or user listed on List_folder_content like this csv file:

folder,full_control,modify,read_execute,List_folder_content,read,write
\\server\folder1\folder2,DEF_Controle_Total;DEF_Service_Desk,DEF_Modification,,Domain Users,DEF_Lecture,
so for domain users, script must applicate this right:

acl
need to be applied to this folder only like picture.

this is my script and thanks for help

$csvFile = "D:\file.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level)
    $toAdd = $permissionGroup -split ";"
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ContainerInherit,ObjectInherit','None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
    New-Item -ItemType Directory -Path $fullPath
    $fAcl = Get-Acl -Path $fullPath
    $fAcl.SetAccessRuleProtection($true, $true)
    Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
    if ($folder.read) {DoPermissions $folder.read $fullPath "Read"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Inheritence for (and propagation to) child objects is controlled by the 5th (and 7th) argument of System.Security.AccessControl.FileSystemAccessRule. All you have to do is to make sure 'ContainerInherit,ObjectInherit' is replaced by 'None' (which invalidates the 7th parameter, so we can leave that unchanged). To be able to provide that added option you'll have to change the input parameters of the DoPermission function.
$csvFile = "D:\file.csv"

$create = Import-CSV $csvFile

function DoPermissions
{
    param( $permissionGroup, $folder, $level, [switch] $NoInheritance)
    $toAdd = $permissionGroup -split ";"
    $InheritFlags = if ($NoInheritance) { 'None' } else { 'ContainerInherit,ObjectInherit' }
    Write-Host $folder
    foreach ($item in $toAdd)
    {
        $acl = (Get-Item $folder).GetAccessControl('Access')
        $ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, $InheritFlags,'None','Allow')
        $acl.SetAccessRule($ar)
        Set-ACL -path $folder -AclObject $acl
    }
}

foreach ($folder in $create)
{
    $fullPath = $folder.folder #$path + $folder.folder
    if (!(Test-Path $fullPath)) {
      New-Item -ItemType Directory -Path $fullPath
      $fAcl = Get-Acl -Path $fullPath
      $fAcl.SetAccessRuleProtection($true, $true)
      Set-Acl -Path $fullPath -AclObject $fAcl
    }

    if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
    if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
    if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory" -NoInheritance}
    if ($folder.read) {DoPermissions $folder.read $fullPath "Read"}
    if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}

}

Open in new window

Author

Commented:
hello Qlemo,

first thanks for help

the Inheritence is ok thank you.

but i can not gest the good right to obtain like the picture: https://filedb.experts-exchange.com/incoming/2017/03_w11/1151330/acl.png
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
The picture shows exactly the same as your first one - what's wrong with that exactly?
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Author

Commented:
i dont now how i can obrain all this right,

i have test, to obtain right like picture, it need this right:
read
ExecuteFile
how i can applicate the 2 right to line 33?

line 33:

    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "read" -NoInheritance

Open in new window

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
IIRC "ExecuteFile" is sufficient, as that implies to read the file. Otherwise, I think you can use a single string with combined privileges like "Read, ExecuteFile", but I'm not certain.

Author

Commented:
i need absolutly the 2 right or a solution to add them may be by use 2 line of code:

if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "read" -NoInheritance
if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "Executefile" -NoInheritance

when use this i think second command erase the first permission.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Yes, the second overwrites the first, because you use SetAccessRule, which replaces the ACL entry for the specific user if it exists already.
I've now tried my suggestion, and it works. You can use a set of privileges as a single string, "Read, ExecuteFile", when you call the function:
    if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "Read, ExecuteFile" -NoInheritance

Open in new window

Author

Commented:
yes its work
thank you Qlemo you are the best :)

Author

Commented:
thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial