Linking folder security to AD security groups Powershell script

0
votes

I am trying to write a script which links a folder's security permissions to an existing AD group. I've yet to find any script or cmdlet (Set-Acl can't link to groups, only explicit permissions) which allows me to script this.

As an example, I have a folder called "FOLDER A" and an AD security group called "FOLDER A". Is there any way for add the AD group to the folder's security?

AD group within folder permissions example:

AD group within folder permissions example

EDIT: I may have found a solution on serverfault. I can use the Get-ADGroup cmdlet to find the SID of each group and then pass the IdentityReference for the Set-Acl. Will test this out and see if I can get it to work

2
powershellactive-directoryntfs
Hey, its good that you found an answer to your question. When you tested it, feel free to write an answer to your question where you explain what you did. Take a look here first ;) : stackoverflow.com/help/how-to-answerPaxz

2 Answers

0
votes

I always use the NTFSSecurity module when dealing with filesystem permissions. The commands in this module are much easier to understand than Set-Acl as they act in the same way the GUI does.

To add permissions to a folder it's just one command:

Add-NTFSAccess -Path 'C:\Folder A' -Account 'Domain\Folder A' -AccessRights Read

It's worth reading the documentation links as the module can do way more than just adding permissions!

Note: You do need to install the module, if you're using a modern version of Powershell this is easy as you can just use Install-Module -Name NTFSSecurity. If it's an older version you will need download and install the module manually.

0
votes

I've finally found a solution to my problem. Thank you to James C. - whilst I couldn't figure it out using your method, I believe it did point me in the right direction.

I essentially used the FileSystemAccessRuleconstructor. The moment of clarity I had was the realisation that I could actually reference AD groups. I'm very new to Powershell so this wasn't immediately obvious to me. Here's the implementation:

$acl = Get-Acl <PATH OF FOLDER>

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule('<NAME OF GROUP>','<PERMISSIONS>,'<Allow/Deny>')

$acl.SetAccessRule($AccessRule)

$acl | Set-Acl <PATH OF FOLDER>

The full documentation of the constructor can be found here. I then used a Python script to format all the data in a csv and loop through it to create the groups.

Thanks everyone!