Hi,
I need to give read/execute and modify permissions to a user or group on a folder like:
F:\Data\MSSQL\MSSQL11.MyInst
and include all of its subfolders and files.
I need to do it using Powershell script.
Any ideas?
Thanks.
Below script block will give you an idea. Replace the necessory values and also if your subfolder are set to inherit the permission, you don’t need to set the same to subfoders.
[pre]
$folder = ‘F:\Data\MSSQL\MSSQL11.MyInst’
$ACL = Get-Acl $folder
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”,“Fullcontrol”,“Allow”)
$ACL.SetAccessRule($AccessRule)
Set-Acl $folder $AccessRule
[/pre]
Did not work:
PS D:\MyFolder>
PS D:\MyFolder> $folder = ‘E:\Folder1’
PS D:\MyFolder> $ACL = Get-Acl $folder
>>
PS D:\MyFolder> $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators
",“Fullcontrol”,“Allow”)
>>
PS D:\MyFolder> $ACL.SetAccessRule($AccessRule)
>>
PS D:\MyFolder> Set-Acl $folder $AccessRule
>>
Set-Acl : AclObject
At line:1 char:1
- Set-Acl $folder $AccessRule
-
- CategoryInfo : InvalidArgument: (System.Security…ystemAccessRule:FileSystemAccessRule) [Set-Acl], Arg
umentException - FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand
I’ve used something similar to this in my functions.
[pre]$FolderPath = “E:\Folder1”
$Group = “users”
$Acl = Get-Acl $FolderPath
$AccessRule = New-Object system.security.accesscontrol.filesystemaccessrule($Group,“Modify”,”ContainerInherit,ObjectInherit”,”None”,“Allow”)
$Acl.SetAccessRule($AccessRule)
Set-Acl -Path $FolderPath -AclObject $Acl -confirm:$false -Passthru[/pre]
New Access rule looks like this:
[pre]FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None[/pre]
Here’s a function I wrote a lifetime ago, it should do what you’re after:
Function Change-ACL
{
<#
.SYNOPSIS
This function will add or remove an ACE to the ACL for a directory.
.DESCRIPTION
This function will add or remov e an ACE to the ACL for a directory.
.PARAMETER Directory
This is the directory you will add/remove an ACE for.
.PARAMETER UserNames
These are the UserNames of the user(s) you want to change permissions for.
.PARAMETER AccessLevel
This is the level of accesss you want to grant for the user(s). If you are removing perissions, all inherited levels are removed
.PARAMETER Add
This switch specifies whether to add the permissions specified in the AccessLevel Parameter
.PARAMETER Remove
This switch specifies whether to remove the user’s permissions
.INPUTS
None
.OUTPUTS
None
.NOTES
Version: 1.2
Author: Lars Panzerbjrn
Creation Date: 2017.11.01
Purpose/Change: Initial script development
Changed 2019.02.25 LP: Changed function to also Remove permissions; implemented Parameter Sets
.EXAMPLE
Change-ACL -Directory “\lonfs1\InfServices\Sec\SecOps” -UserNames Panzerbjrn_L_a -AccessLevel Write -Add
This will give the user Panzerbjrn_L_a access to write to the directory.
.EXAMPLE
Change-ACL -Directory “\lonfs1\InfServices\Sec\SecOps” -UserNames Panzerbjrn_L_a -Remove
This will remove the user Panzerbjrn_L_a from the ACL for the directory.
#>
[CmdletBinding(PositionalBinding=$false)]
Param(
[Parameter(Mandatory=$True,ParameterSetName=“Add”)]
[Parameter(Mandatory=$True,ParameterSetName=“Remove”)]
[string]$UserNames,
[Parameter(Mandatory=$True,ParameterSetName=“Add”)]
[Parameter(Mandatory=$True,ParameterSetName=“Remove”)]
[string]$Directory,
[Parameter(Mandatory=$True,ParameterSetName=“Add”)]
[ValidateSet(“ListDirectory”,“ReadData”,“WriteData”,“CreateFiles”,“CreateDirectories”,“AppendData”,“ReadExtendedAttributes”,“WriteExtendedAttributes”,“Traverse”,“ExecuteFile”,“DeleteSubdirectoriesAndFiles”,“ReadAttributes,WriteAttributes”,“Write”,“Delete”,“ReadPermissions”,“Read”,“ReadAndExecute”,“Modify”,“ChangePermissions”,“TakeOwnership”,“Synchronize”,“FullControl”)]
[String]$AccessLevel,
[Parameter(Mandatory=$False,ParameterSetName=“Add”)]
[switch]$Add,
[Parameter(Mandatory=$False,ParameterSetName=“Remove”)]
[switch]$Remove
)
$Path = $Directory
$TestedPath = Test-Path $Path
IF($TestedPath -eq $False) {Write-Verbose “$($Path) Doesn’t exist; thank you please come again”;break}
$ACL = (Get-Item $Path).GetAccessControl(‘Access’)
ForEach ($UserName in $UserNames)
{
$USR = Get-ADUser -Filter {SamAccountName -like $UserName} -Properties *
$Usrname = "BDS"+$USR.SamaccountName
$Inherit = [system.security.accesscontrol.InheritanceFlags]“ContainerInherit, ObjectInherit”
$Propagation = [system.security.accesscontrol.PropagationFlags]“None”
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Usrname, $AccessLevel, $Inherit, $Propagation, “Allow”)
IF($Add){$ACL.AddAccessRule($AccessRule)}
IF($Remove){$ACL.RemoveAccessRuleAll($AccessRule)}
}
IF(($Add) -OR ($Remove)) {Set-Acl -path $Path -AclObject $Acl}
ELSE {Write-Verbose “No Add or Remove action was specified”}
}
BUT, do your self a huge favour, and use groups to delegate access, not direct access by adding users to the ACL for folders/files/drives…