Modifying Permission of folders and sub folders

PowerShell Help
1

Hello, and thanks in advance.

 

We have the below script that seems to be doing what we want it to do, however not applying permission to subfolders and files, we need to :

  1. take ownership of a home folder
  2. add a user (SVC_Account) read only permission to that folder and subfolders
  3. give ownership back to the original user.
so far point 1 and 3 are sucessful however we only seem to be able to access to the folder we have changed permission on, and not files or child folder wiithin there?

 

Could you assist please?

ps1 script below:

#v1.0
#run as administrator and as Domain Admin
#Script requires Active Directory and NTFSSecurity powershell modules
#todo
#acl change for directories we need to take ownership of

clear
#$ErrorActionPreference = “silentlycontinue”

cd c:\Scripts\HomedirACL
ipmo activedirectory
ipmo NTFSSecurity

$userList=“exeit5.txt” #plaintext list of user account in scope
$server = “MCRFS02” #set this to the CIFS server the homedirs are on - MCRFS02?
$root="z:\home" #map the root of the homedir share to Z:\ (\mcrfs02\isadhomes01$ etc)
$serviceAccount=“ISAD\svc_account” #service account to add to ACL
$timeStamp = get-date -Format “yyyyMMddHHmmss” #timestape to use on logfiles
$outputLog = “logs\output_$timeStamp.log” #general output log file
$orphanedprofilesLog = “logs\orphanedprofiles_$timeStamp.log” #profiles that do not have a corresponding AD account
$errorLog = “logs\error_$timeStamp.log” #error logfile
$successLog = “logs\success_$timeStamp.log” #success logfile

function Check-ConnectedUser($profile) {
#check if users have an active SMB session on $server, return true of false

$activeUsers = @()

$shares = [ADSI]“WinNT://$server/lanmanserver” #get shares in SMB server
$shares.psbase.children | select @{n=“ShareName”;e={$.properties.name}},@{n=“LocalPath”;e={$.properties.path}}

$shares.Invoke(“Resources”) | foreach {
$activeUsers+= $.GetType().InvokeMember(“User”, ‘GetProperty’, $null, $, $null) #get active sessions
}

$activeUsers = $activeUsers | select -Unique #reduce list down to unique entries as accounts can be listed more than once
write-host $activeUsers

if ($activeUsers -match $profile) {
Write-Host $true
return $true
}
else {
Write-Host $false
return $false
}
}

function Test-ACL($profilePath) {
#test if $serviceAccount is on the users U: drive, return true of false
$testAcl = Get-NTFSAccess $profilePath

if ($testAcl.account -contains $serviceAccount) {
#Write-Host $true
return $true
}
else {
#Write-Host $false
return $false
}

}

#Main loop
#Loop through profiles in $userList and cross reference against AD. if the AD account exists, perform actions
enable-Privileges
$profiles = Get-content $userList
$totalProfiles = $profiles.Count
$output = “$totalProfiles profiles in total”
write-host $output

foreach ($profile in $profiles) {
#test if user exists in AD and skip if they don’t
$User = $null
$User = Get-ADUser -Identity $profile -ErrorAction SilentlyContinue
If ($User -eq $Null) {
$output = “$profile does not exist in AD. Skipping`n”</code>
<code>write-host $output</code>
<code>$output |out-file -FilePath .$orphanedprofilesLog -append</code>

<code>}</code>

<code>Else {</code>

<code>$profilePath = $root + $profile #build homedir path</code>
<code>$profilePathTest = $root + $profile + ‘*’ #build homedir path for ACL test</code>
<code>#test if user exists in the currently mapped ISADHomes share and skip if they don’t</code>
<code>if (Test-Path $profilePath){</code>
<code>#test if we can access their home directory, if we can then add the service account. if we cannot then take ownership and reapply the ACL</code>

<code>If (Test-Path $profilePathTest) {</code>

<code>$output = “$profile found in AD, $profilePath access successful. Adding $serviceAccount to ACL”</code>
<code>write-host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>

<code>Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute</code>

<code>If (Test-ACL $profilePath) {</code>
<code>$output = “$profile permission change completed n"</code> <code>Write-Host $output</code> <code>$output |out-file -FilePath .\$outputLog -append</code> <code>$output |out-file -FilePath .\$successLog -append</code> <code>}</code> <code>else {</code> <code>$output = "$profile permission change failed n”</code>
<code>Write-Host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>
<code>$output |out-file -FilePath .$errorLog -append</code>

<code>}</code>
<code>}</code>

<code>else {</code>
<code>$output = “$profile found in AD, $profilePath access Failed”</code>

<code>write-host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>

<code>$isUserConnected = Check-ConnectedUser($profile)</code>
<code>#test if user has an active SMB session on $server and skip if they do</code>
<code>if ($isUserConnected -eq $true) {</code>

<code>$output = “$profile is connected to their U: drive. Skipping`n”
Write-Host $output
$output |out-file -FilePath .$outputLog -append
$output |out-file -FilePath .$errorLog -append

}
else {
#no active session so take ownership and reapply ACL
$output = “$profile is not connected to their U: drive. Taking ownership of $profilePath (This part of the script is commented out as its untested)”
Write-Host $output
$output |out-file -FilePath .$outputLog -append
# Set-NTFSOwner $profile -Account ‘ISAD\Domain Admins’ -whatif

$output = “re-adding ACL to $profilePath”
write-Host $output
$output |out-file -FilePath .$outputLog -append

#Add-NTFSAccess -path $profilePath -Account ‘ISAD\Domain Admins’ -AccessRights FullControl
#Add-NTFSAccess -path $profilePath -Account $profile -AccessRights FullControl
#Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute

If (Test-ACL $profilePath) {
$output = “$profile permission change completed (or it will be when uncommented and tested…)n"&lt;/code&gt; &lt;code&gt;Write-Host $output&lt;/code&gt; &lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt; &lt;code&gt;$output |out-file -FilePath .\$successLog -append&lt;/code&gt; &lt;code&gt;}&lt;/code&gt; &lt;code&gt;else {&lt;/code&gt; &lt;code&gt;$output = "$profile permission change failed n”
Write-Host $output
$output |out-file -FilePath .$outputLog -append
$output |out-file -FilePath .$errorLog -append

}

$output = “$profile complete `n”</code>
<code>Write-Host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>

<code>}</code>
<code>#add section to check if user is connected, take ownership and blat correct acl</code>
<code>}</code>

<code>}</code>
<code>else {</code>
<code>$output = “$profile does not exist in $root. Skipping`n”
write-host $output
$output |out-file -FilePath .$errorLog -append
}
}
Read-Host ‘Press Enter to continue…’ | Out-Null
}

disable-Privileges

Thanks

 

 

 

2

James

When you post code, error messages, sample data or console output format it as code, please.
In the “Text” view you can use the code tags “CODE”, in the “Visual” view you can use the format template “Preformatted”. You can go back edit your post and fix the formatting - you don’t have to create a new one.
Thanks in advance.

3

so I have ammended this and tried this script below, however this only seems to go five child folder down from root, I would like it to continue recurisvly throughout the whole of the child folders ammending the permissions

 

code:

$folders = “\server\home\test”
$serviceAccount = “isad\svc_test”
$childfolders = Get-ChildItem -Path $folders -Force
$grandchildfolders = Get-ChildItem -Path $childfolders -Force
$greatgrandchildfolders = Get-ChildItem -Path $grandchildfolders -Force
$2greatgrandchildfolders = Get-ChildItem -Path $greatgrandchildfolders -Force

Add-NTFSAccess -Account $serviceAccount -path $folders -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

$childfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

$grandchildfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

$greatgrandchildfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

$2greatgrandchildfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

 

could you please assist in finding a way for this to ammend permissions on all child folders and files