Changing NTFS security on user with fullcontrol to modify

0
votes

I have thousands of folders I need to change users with Fullcontrol access to modify access. The following is a list of what I have:

  1. A script that changes NTFS perms:

    $acl = Get-Acl "G:\Folder" $acl | Format-List $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount]) #second $true on following line turns on inheritance, $False turns off $acl.SetAccessRuleProtection($True, $True) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("My-ServerTeam","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) Set-Acl "G:\Folder" $acl Get-Acl "G:\Folder" | Format-List

  2. A text file with the directories and users that need to be changed from fullcontrol to modify.

I can always create a variable for the path and/or username and create a ForEach loop, but I'm not sure how to change the users that exist in the ACL for each folder to Modify, but keep the Admin accounts as full control. Any help would be appreciated.

1
aclntfs

1 Answers

0
votes

Went another route and got what I needed. I'm not surprised noone tried to help me on this one.... it was tough. I'll post the scripts for the next person who has this issue. There are two scripts. The first I obtained from the internet and altered a bit. The second script launches the first with the parameters required to automate.

First Script Named SetFolderPermission.ps1:

param ([string]$Path, [string]$Access, [string]$Permission = ("Modify"), [switch]$help)
function GetHelp() {
$HelpText = @"

DESCRIPTION:
NAME: SetFolderPermission.ps1
Sets FolderPermissions for User on a Folder.
Creates folder if not exist.

PARAMETERS: 
-Path           Folder to Create or Modify (Required)
-User           User who should have access (Required)
-Permission     Specify Permission for User, Default set to Modify (Optional)
-help           Prints the HelpFile (Optional)

SYNTAX:
./SetFolderPermission.ps1 -Path C:\Folder\NewFolder -Access Domain\UserName -Permission FullControl

Creates the folder C:\Folder\NewFolder if it doesn't exist.
Sets Full Control for Domain\UserName

./SetFolderPermission.ps1 -Path C:\Folder\NewFolder -Access Domain\UserName

Creates the folder C:\Folder\NewFolder if it doesn't exist.
Sets Modify (Default Value) for Domain\UserName

./SetFolderPermission.ps1 -help

Displays the help topic for the script

Below Are Available Values for -Permission

"@
$HelpText

[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])

}

<#
function CreateFolder ([string]$Path) {

    # Check if the folder Exists

    if (Test-Path $Path) {
        Write-Host "Folder: $Path Already Exists" -ForeGroundColor Yellow
    } else {
        Write-Host "Creating $Path" -Foregroundcolor Green
        New-Item -Path $Path -type directory | Out-Null
    }
}
#>

function SetAcl ([string]$Path, [string]$Access, [string]$Permission) {

    # Get ACL on FOlder

    $GetACL = Get-Acl $Path

    # Set up AccessRule

    $Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"
    $AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $Permission, $AllInherit, $Allpropagation, "Allow")

    # Check if Access Already Exists

    if ($GetACL.Access | Where {$_.IdentityReference -eq $Access}) {

        Write-Host "Modifying Permissions For: $Access on directory: $Path" -ForeGroundColor Yellow

        $AccessModification = New-Object system.security.AccessControl.AccessControlModification
        $AccessModification.value__ = 2
        $Modification = $False
        $GetACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification) | Out-Null
    } else {

        Write-Host "Adding Permission: $Permission For: $Access"

        $GetACL.AddAccessRule($AccessRule)
    }

    Set-Acl -aclobject $GetACL -Path $Path

    Write-Host "Permission: $Permission Set For: $Access on directory: $Path" -ForeGroundColor Green
}

if ($help) { GetHelp }

if ($Access -AND $Permission) { 
    SetAcl $Path $Access $Permission
}

The next script calls the first script and adds the needed parameters. A CSV containing 2 columns with the folders and usernames with full control.

$path = "C:\Scripts\scandata\TwoColumnCSVwithPathandUserwithFullControl.csv"
$csv = Import-csv -path $path
foreach($line in $csv){
$userN = $line.IdentityReference
$PathN = $line.Path
$dir = "$PathN"
$DomUser = "$userN"
$Perm = "Modify"
$scriptPath = "C:\Scripts\SetFolderPermission.ps1"
$argumentList1 = '-Path'
$argumentList2 = "$dir"
$argumentList3 = '-Access'
$argumentList4 = "$DomUser"
$argumentList5 = '-Permission'
$argumentList6 = "$Perm"
Invoke-Expression "$scriptPath $argumentList1 $argumentList2 $argumentList3 $argumentList4 $argumentList5 $argumentList6"