SAM IT
asked on
Import CSV with All modify groups
Hello all,
I have CSV to import Parentfolder with permissions.
Issue is Script importing one AD security group permission level only on each column
Lets say I want to add multiple AD security group with modify permission It wont. script consider only one modify AD security group .
csv format attached. Thanks
parentfolder.jpg
I have CSV to import Parentfolder with permissions.
Issue is Script importing one AD security group permission level only on each column
Lets say I want to add multiple AD security group with modify permission It wont. script consider only one modify AD security group .
csv format attached. Thanks
parentfolder.jpg
Grant Brunton
What does your script look like so far?
ASKER
Below is the script I am using for Parent and subfolders creation.
Set-Location "C:\Users\a.narasimha.s\Desktop\testshare"
$csvFile = "C:\Users\a.narasimha.s\Desktop\importfolders.csv"
$create = Import-CSV $csvFile
function DoPermissions
{
param( $permissionGroup, $folder, $level)
$toAdd = $permissionGroup -split ";"
Write-Host $folder
foreach ($item in $toAdd)
{
$acl = (Get-Item $folder).GetAccessControl('Access')
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ContainerInherit,ObjectInherit','None','Allow')
$acl.SetAccessRule($ar)
Set-ACL -path $folder -AclObject $acl
}
}
foreach ($folder in $create)
{
$fullPath = $folder.folder #$path + $folder.folder
if (!(Test-Path $fullPath)) {New-Item -ItemType Directory -Path $fullPath}
if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
if ($folder.read) {DoPermissions $folder.read $fullPath "ReadData"}
if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}
}
# define the subfolder names
$subfolders = "Subfolder1","01 Project Management","02 Engineering","03 Quality Assurance","04 Technical Data","05 Project Close Out"
for ($i = 1;$i -lt 7;$i++)
{ # create the sub folder
$subpath = "$fullPath\$($subfolders[$i])"
if (!(test-path $subpath -PathType Container)) {New-Item $subpath -type directory} }
# set the sub folder permissions
#no action needed
# define the Customized subfolder names
$subfolders = "subfolder2","06 Outlook Mail","Drafting","Document Control"
for ($i = 1;$i -lt 4;$i++)
{ # create the sub folder
$csubpath = "$fullPath\$($subfolders[$i])"
if (!(test-path $csubpath -PathType Container)) {New-Item $csubpath -type directory}
# set the sub folder permissions
$acl = Get-Acl "$csubpath"
$acl.SetAccessRuleProtection($true, $true)
$acl.Access | Where-Object { $_.IdentityReference.Value.ToString() -like 'domain\DL-WGK-US-Houston-Projects-XXXXXX-RW-TEST' } | ForEach-Object {
$_
$acl.RemoveAccessRule($_)
}
Set-Acl "$csubpath" -AclObject $acl
#Get-Acl "$csubpath" |
#Select-Object -ExpandProperty Access
}
Please post an example of you csv file , as the doPermissions function allows multiple AD groups separated by ";" eg.
Administrators;Domain Users;MyadminAccount
Administrators;Domain Users;MyadminAccount
ASKER
I have already posted CSV format screen shot in the first update
What he is saying is that you don't need to put multiple lines in your CSV for the different group permissions to add to a folder.
Instead add them all seperated by ";" in a single cell so there is only one row per folder.
Alternatively, the permissions appear to be cumulative so on the additional rows in your CSV with multiple permission groups just copy the folder name down to each row.
If that is still not possible then when you iterate through the objects in $create you should define the folder name as a variable outside the loop and then check if the folder name is empty to use the previous value.
Instead add them all seperated by ";" in a single cell so there is only one row per folder.
Alternatively, the permissions appear to be cumulative so on the additional rows in your CSV with multiple permission groups just copy the folder name down to each row.
If that is still not possible then when you iterate through the objects in $create you should define the folder name as a variable outside the loop and then check if the folder name is empty to use the previous value.
ASKER
it already sorted out after adding ";" with out space
So the intention is:
1 Create root level folders
2 Assign permissions to those folders
3 Create sets of sub folders under those root level folders
4 Remove specific users/groups out of those new sub folders
Is that correct?
1 Create root level folders
2 Assign permissions to those folders
3 Create sets of sub folders under those root level folders
4 Remove specific users/groups out of those new sub folders
Is that correct?
ASKER
correct.
Well, here's something you can try that's a little more modular. Tested and working on my system.
First there is the $csvFile which is where you define the folders you want to create and the permissions you want to apply separated by a semicolon (that code looks familiar, did I write that top block?)
Then there is an array of subfolders you can create. You could add logic to this later down the road or paramaterize it to be able to set up specific subfolders for users depending on criteria.
In each CSV you can specify a set of subfolders to be created, and the permissions you want to remove from the folder. Again, you could add more logic into the 'CreateSubFolders' or in building the list of subfolder CSVs to get more specific folder creation based on criteria.
Anyways, after creating the subfolders it will remove specified permissions- also separated by a semi colon.
Attached are the sample files i used on my local system, you'd need to edit them to match your domain (etc).
subfolders2.csv
subfolders1.csv
First there is the $csvFile which is where you define the folders you want to create and the permissions you want to apply separated by a semicolon (that code looks familiar, did I write that top block?)
Then there is an array of subfolders you can create. You could add logic to this later down the road or paramaterize it to be able to set up specific subfolders for users depending on criteria.
In each CSV you can specify a set of subfolders to be created, and the permissions you want to remove from the folder. Again, you could add more logic into the 'CreateSubFolders' or in building the list of subfolder CSVs to get more specific folder creation based on criteria.
Anyways, after creating the subfolders it will remove specified permissions- also separated by a semi colon.
Attached are the sample files i used on my local system, you'd need to edit them to match your domain (etc).
Set-Location "C:\Users\dsaunders\Desktop\testshare"
$csvFile = "C:\Users\dsaunders\Desktop\importfolders.csv"
$subfolders = @()
$subCsvFiles = "C:\Users\dsaunders\Desktop\subfolders1.csv","C:\Users\dsaunders\Desktop\subfolders2.csv"
$subCsvFiles | %{$subfolders += $_}
$debug = $false
$create = Import-CSV $csvFile
function DoPermissions
{
param( $permissionGroup, $folder, $level)
$toAdd = $permissionGroup -split ";"
if ($debug) {Write-Host $folder}
foreach ($item in $toAdd)
{
$acl = (Get-Item $folder).GetAccessControl('Access')
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item, $level, 'ContainerInherit,ObjectInherit','None','Allow')
$acl.SetAccessRule($ar)
Set-ACL -path $folder -AclObject $acl
}
}
function TakePermissions
{
param( $permissionGroup, $folder)
$toRemove = $permissionGroup -split ";"
if ($debug) {Write-Host $folder}
foreach ($item in $toRemove)
{
if ($debug) {Write-Host $item -ForegroundColor Red}
$acl = Get-Acl $folder
$acl.SetAccessRuleProtection($true,$true)
Set-Acl $folder -AclObject $acl
$acl = Get-Acl $folder
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item,"FullControl",,,"Allow")
$acl.RemoveAccessRule($ar)
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule($item,"FullControl",'ContainerInherit,ObjectInherit','None',"Allow")
$acl.RemoveAccessRule($ar)
Set-Acl $folder -AclObject $acl
}
}
function CreateSubFolders
{
param($fullpath, $subList)
foreach ($subfolder in $subList)
{
$items = Import-Csv $subfolder | %{
$spath = $fullPath + "\" + $_.folder
if (!(Test-Path $spath)) {New-Item -ItemType Directory -Path $spath}
if ($_.remove) {TakePermissions $_.remove $spath}
}
}
}
foreach ($folder in $create)
{
$fullPath = $folder.folder #$path + $folder.folder
if (!(Test-Path $fullPath)) {New-Item -ItemType Directory -Path $fullPath}
if ($folder.full_control) {DoPermissions $folder.full_control $fullPath "FullControl"}
if ($folder.modify) {DoPermissions $folder.modify $fullPath "Modify"}
if ($folder.read_execute) {DoPermissions $folder.read_execute $fullPath "ExecuteFile"}
if ($folder.list_folder_content) {DoPermissions $folder.list_folder_content $fullPath "ListDirectory"}
if ($folder.read) {DoPermissions $folder.read $fullPath "ReadData"}
if ($folder.write) {DoPermissions $folder.write $fullPath "Write"}
$subfolders | %{CreateSubFolders $fullPath $_}
}subfolders2.csv
subfolders1.csv
ASKER
Hi Dustin,
Script given by you perfectly working.
In the script can we add below command to import the AD security group with permissions for folders which are in subfolders2.csv and AD security group will be imported from CSV only to assign the permissions which are in subfolders2.csv
If this is done i will achieve my requirement
Script given by you perfectly working.
In the script can we add below command to import the AD security group with permissions for folders which are in subfolders2.csv and AD security group will be imported from CSV only to assign the permissions which are in subfolders2.csv
If this is done i will achieve my requirement
$ace = New-Object System.Security.AccessControl.FileSystemAccessRule('domain\DL-WGK-US-Houston-Projects-XXXXXX-RW-TESTnew', 'ReadAndExecute,Synchronize', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl.AddAccessRule($ace)
Set-Acl $csubpath -AclObject $acl
Get-Acl "$csubpath" |
Select-Object -ExpandProperty Access
}ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I should also note, that with the way the code is written you can use the same subfolder to apply different permission levels to different people (since Test-Path will not try and create the folder twice, specifying the same folder multiple times will allow differing permissions.) For example, in the CSV attached Subfolder2 gets 2 permissions - JArens and COrman with 'ReadAndExecute'
If I wanted to give COrman 'ReadAndExecute' but JArens 'FullControl' to Subfolder2 I would use this CSV.
folder,remove,grant,level
Subfolder2,,HQ1\Corman;HQ1\Jarens,"ReadAndExecute,Synchronize"
06 Outlook Mail,,HQ1\Corman,"ReadAndExecute,Synchronize"
Drafting,,HQ1\Corman,"ReadAndExecute,Synchronize"
Document Control,,,If I wanted to give COrman 'ReadAndExecute' but JArens 'FullControl' to Subfolder2 I would use this CSV.
folder,remove,grant,level
Subfolder2,,HQ1\Corman,"ReadAndExecute,Synchronize"
Subfolder2,,HQ1\Jarens,"FullControl,Synchronize"
06 Outlook Mail,,HQ1\Corman,"ReadAndExecute,Synchronize"
Drafting,,HQ1\Corman,"ReadAndExecute,Synchronize"
Document Control,,,ASKER
let me check and let you know the status
ASKER
thanks a lot for your support.
Script which you have given worked find with out any errors.
Slight changes i have done in the script I.E In the given script for permission Read_execute changed to ReadAndExecute. Because if it is Read_exucure permission will be special one not readand execute .
if ($folder.ReadAndExecute) {DoPermissions $folder.ReadAndExecute $fullPath "ReadAndExecute"}
Once again thanks for your precious support
Script which you have given worked find with out any errors.
Slight changes i have done in the script I.E In the given script for permission Read_execute changed to ReadAndExecute. Because if it is Read_exucure permission will be special one not readand execute .
if ($folder.ReadAndExecute) {DoPermissions $folder.ReadAndExecute $fullPath "ReadAndExecute"}
Once again thanks for your precious support
ASKER
thanks a lot for your support.
Script which you have given worked find with out any errors.
Slight changes i have done in the script I.E In the given script for permission Read_execute changed to ReadAndExecute. Because if it is Read_exucure permission will be special one not readand execute .
if ($folder.ReadAndExecute) {DoPermissions $folder.ReadAndExecute $fullPath "ReadAndExecute"}
Once again thanks for your precious support
Script which you have given worked find with out any errors.
Slight changes i have done in the script I.E In the given script for permission Read_execute changed to ReadAndExecute. Because if it is Read_exucure permission will be special one not readand execute .
if ($folder.ReadAndExecute) {DoPermissions $folder.ReadAndExecute $fullPath "ReadAndExecute"}
Once again thanks for your precious support
ASKER
Can we able to remove AD security group permission for Parent folders which are in the excel importfolders.csv. same concept how you did it for subfolders.csv
https://www.experts-exchange.com/questions/29018970/Can-we-able-to-remove-AD-security-group-permission-for-Parent-folders-which-are-in-the-excel-importfolders-csv-same-concept-how-you-did-it-for-subfolders-csv.html
https://www.experts-exchange.com/questions/29018970/Can-we-able-to-remove-AD-security-group-permission-for-Parent-folders-which-are-in-the-excel-importfolders-csv-same-concept-how-you-did-it-for-subfolders-csv.html