0
votes

I have this script which sets folder permissions:

Get-Acl $IGXYSimFiles 
$acl = Get-Acl $IGXYSimFiles
$acl.SetAccessRuleProtection($false,$true)
$rule = New-Object
System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object
System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Igloo-IGXY-Power-Users","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $IGXYSimFiles $acl

I need to add special permissions for the DL-GPA-UKI-Users group so that they can create subfolders in the $IGXYSimFiles folder but not files. They need to be able to create files in the subfolders which they've been allowed to create, but not any further subfolders.

I have achieved this by setting special permissions "Create Folder / Append Data" for "This Folder Only" and "Create Files / Write Data" for "Subfolders and Files Only". This is working great, but now comes the time where I need to edit my script to do this.

So I thought I would get-acl on the folder where I have manually set these permissions, this isn't returning the desired result:

AccessToString :

RISK\DL-GPA-UKI-Igloo-IGXY-Power-Users Allow Modify,Synchronize

RISK\DL-GPA-UKI-Users Allow AppendData, Synchronize

RISK\DL-GPA-UKI-Users Allow CreateFiles, Synchronize

NT AUTHORITY\SYSTEM Allow FullControl

RISK\Domain Admins Allow FullControl

RISK\DL-GPA-UKI-Readonly Allow ReadAndExecute, Synchronize

RISK\svcGIECSSPrd_EA Allow FullControl

RISK\DL-GPA-UKI-Users Allow ReadAndExecute, Synchronize

RISK\DL-GPA-AIMSSOPS Allow FullControl

As you can see its not displaying the "This Folder Only" or "Subfolders and files only" setting...

Is this possible with PowerShell?

Many thanks in advance

Chris

1

1 Answers

0
votes

Absolutely. The default output for Get-Acl doesn't include the inheritance information, but it's there. Try this to get a friendlier output:

Get-ACL $IGXYSimFiles | % { $_.Access }

As for setting the ACL as desired, your script should do it, though you have one error in your rule. For "Create Files / Write Data" to be applied to "Subfolders and Files Only", you'll want to set the PropagationFlags to InheritOnly rather than None.

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","CreateFiles", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")

And this will set "Create Folder / Append Data" on this folder only:

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("RISK\DL-GPA-UKI-Users","AppendData", "None", "None", "Allow")