Modifying existing NTFS permissions using PS

by lamotta79 at 2012-09-12 04:22:07

Hi - i’m afraid I have very little Powershell experience and so am after a bit of help in setting up a script with will hopefully save me a weekend of work.



Basically I need to alter multiple security groups on around 2000 folders. The groups all need to have the same permissions which are ‘Traverse, List Folder, Read Attributes, Read extended attributes and Read permissions’ the permissions also also need to be set only to the folder on which they are applied. So in the GUI I would set Apply To: This folder only. Whilst all groups are named differently, they all have a constant which is that they end with ‘-T’.

So for example on a directory f:\Projects, I would need to identify all subfolders containing groups ending with ‘-T’ and modify the permissions on these groups as stated above.

Do you think this is possible? Or am I being overly optimistic? Any help would be greatly appreciated as it would potentially save me many hours.



Thanks Shayne
by coderaven at 2012-09-12 05:12:21
In the list of permissions you are trying to set it sounds like "ReadAndExecute"

This should get you close, it is ad-hoc so please test!
$Folders = (Get-ChildItem -Path F:\Projects -Recurse | Where-Object {$.Mode -like "d*"})
Foreach ($Folder in $Folders)
{
$acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
if ($
.IdentityReference -like "*-T")
{
$acl.RemoveAccessRule($Access)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Access.IdentityReference,"ReadAndExecute", "None", "None", "Allow")
$acl.AddAccessRule($rule)
}}
Set-Acl -Path $Folder.FullName -AclObject $acl
}


If you are doing 2000 folders I suggest you add in a write-progress in the Foreach Folder loop so see how you are doing.
by lamotta79 at 2012-09-13 04:51:04
Hi thanks for this, it really is very much appreciated.

Just trying to run the script on a test folder but I am receiving the following error even though I have ownership and full control over the folder.

Set-Acl : Attempted to perform an unauthorized operation.
At C:\pstest.ps1:13 char:8
+ Set-Acl <<<< -Path $Folder.FullName -AclObject $acl
+ CategoryInfo : PermissionDenied: (C:\PSTEST\Roche:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand


Any Ideas?

Many Thanks

Shayne
by coderaven at 2012-09-13 09:50:42
It looks like this is a reported bug. Does it happen for all folders or just certain ones?
by DonJ at 2012-09-13 10:34:15
Note that there’s also a WMI-based workaround posted on that bug report page.