Overwrite Permissions

Hi All,

I have about 10,000 files for which i need to overwrite permissions. Meaning to say, there are ‘n’ number of people having access on those files. Not sure who are all having the access. I would like to remove them all and have only myself access those files. I would also want to hide those files within the same path.

I tried with set-Acl & Get-Acl cmdlets, but no working to my expectation. Could anyone help me with a powershell script.

Much appreciated…!

Thank You

What kind of help would you expect? Did you try to search for it? There are literally thousands of examples regarding manipulating access rights out there. Even here in this forum. What have you tried so far? This is not a script request service here.

I am using since a while an excellent module named NTFSSecurity.

It is available on the PowerShell Gallery and it drastically reduces the size of your scripts when you want to work with permissions.

You should give it a try!

To be really honest, i did search for it online. But, i wasn’t able to find a match that requires my criteria. Could be possible i was searching with a incorrect search word.

Where did you search. This is a common task.
Are you saying, you followed the instructions found here…

PowerShell – Editing permissions on a file or folder https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder

Weekend Scripter: Use PowerShell to Get, Add, and Remove NTFS Permissions
https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions

Change permissions on multiple folders using PowerShell
https://www.sconstantinou.com/change-permissions-multiple-folders-using-powershell/

… and that it did not work?

icacls is still there for you to use as well.

https://ss64.com/nt/icacls.html

I tried the below. the first part works fine. It removes the permission for everyone on that particular file, but I am not able to grant anyone.

icacls C:\Scripts1\Test1\test2\Test3\Test4\Test.txt /inheritance:r | icacls C:\Scripts1\Test1\test2\Test3\Test4\Test.txt /grant "userid@domain.com :/F

[quote quote=140293]Where did you search. This is a common task.

Are you saying, you followed the instructions found here…

PowerShell – Editing permissions on a file or folder
PowerShell – Editing permissions on a file or folder
<iframe class="wp-embedded-content" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="" src="https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/embed/#?secret=MwXqmKgwlX" width="600" height="338" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" sandbox="allow-scripts" data-secret="MwXqmKgwlX"></iframe>

Weekend Scripter: Use PowerShell to Get, Add, and Remove NTFS Permissions

https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions

Change permissions on multiple folders using PowerShell

https://www.sconstantinou.com/change-permissions-multiple-folders-using-powershell/


… and that it did not work?

icacls is still there for you to use as well.

https://ss64.com/nt/icacls.html
[/quote]

 

Hi

Please try this…

icacls.exe “C:\Scripts1\Test1\test2\Test3\Test4\Test.txt” /inheritance:r /grant:r “Domain\UserName:F”

These …

icacls C:\Scripts1\Test1\test2\Test3\Test4\Test.txt /inheritance:r | icacls C:\Scripts1\Test1\test2\Test3\Test4\Test.txt /grant "userid@domain.com :/F

… are two separate commands.

You cannot use the default PS pipe ‘|’ for external commands like this.

So, in using the above, should be on separate lines.

icacls C:\Scripts1\Test1\test2\Test3\Test4\Test.txt /inheritance:r 

icacls C:\Scripts1\Test1\test2\Test3\Test4\Test.txt /grant "userid@domain.com :/F

Hi,
Thanks for the suggestion. Looks even better now…! If I have to grant permission for couple of more users, how would I get that?

Hello,

If there is a separate user group which contains other users also then you can mention the group name with the parameter /grant:r “<Groupname>”, else only finger counting users then write the same line of code of other user also.

icacls.exe “C:\Scripts1\Test1\test2\Test3\Test4\Test.txt” /inheritance:r /grant:r “Domain\UserName1:F”
icacls.exe “C:\Scripts1\Test1\test2\Test3\Test4\Test.txt” /inheritance:r /grant:r “Domain\UserName2:F”

I’ve always found Get-ACL and Set-ACL to be quite powerful. It really depends what you want to achieve. For example:

  • if you want to adjust inheritance
  • if some folders/files have or need explicit permissions only (not inherited)
  • if you want to add/remove single user permissions or replace an entire set of permissions
I think it offers a little more granular control than icacls (I'm open to correction on that, it's been a while since I tried icacls). Here's a couple of useful snippets:

Note: I’d recommend logging any permission changes before AND after so that you can reverse any changes that might go awry along the way.

# Define a few bits 
  $dir2change = 'C:\kk\ps.org\test\'
  $user1 = 'DOMAIN\user1'
  $user2 = 'DOMAIN\user2'
  $user3 = 'DOMAIN\user3'

# For later
  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit,ObjectInherit"
  $propagation = [system.security.accesscontrol.PropagationFlags]"None"

# Logs - use whatever naming convention works
  $time = Get-Date -f "yyyy_MM_dd-HH-mm"
  $acl_log1 = "C:\kk\ps.org\perm-before-$time.log"
  New-Item $acl_log1 -type file -Force | Out-Null
  $acl_log2 = "C:\kk\ps.org\perm-after-$time.log"
  New-Item $acl_log2 -type file -Force | Out-Null

# Get ACL of target folder
  $acl1 = $dir2change | Get-Acl

# Log before
  $acl1 | FL | Out-File $acl_log1 -Append

# Define new rules
  $rule1 = New-Object System.Security.AccessControl.FileSystemAccessRule("$user1","FullControl", $inherit, $Propagation ,,,"Allow")
  $rule2 = New-Object System.Security.AccessControl.FileSystemAccessRule("$user2","Modify", $inherit, $Propagation ,,,"Allow")
  $rule3 = New-Object System.Security.AccessControl.FileSystemAccessRule("$user3","Traverse,ExecuteFile,Read,ListDirectory,ReadAttributes,ReadExtendedAttributes,ReadPermissions", $inherit, $Propagation ,,,"Allow")

# Add new rules to ACL
  try{
    Write-Host "Adding new rules to ACL..." -f Cyan
    $acl1 | foreach { $_.AddAccessRule($rule1) }
    $acl1 | foreach { $_.AddAccessRule($rule2) }
    $acl1 | foreach { $_.AddAccessRule($rule3) }
    Write-Host "OK" -f Green
  }
  catch{ Write-Host "NOT OK" -f Red }

# Apply the updated ACL
  try{
    Write-Host "Setting ACL on '$dir2change'...`n" -f Cyan
    Set-Acl $dir2change $acl1 -Verbose
    Write-Host "OK" -f Green
  }
  catch { Write-Host "NOT OK" -f Red }

# Log after
  $acl2 = $dir2change | Get-Acl
  $acl2 | FL | Out-File $acl_log2 -Append

This is what the ACL logs look like after that:

Before:

Path   : Microsoft.PowerShell.Core\FileSystem::C:\kk\ps.org\test\
Owner  : DOMAIN\kieran
Group  : DOMAIN\Domain Users
Access : NT AUTHORITY\SYSTEM Allow FullControl
         BUILTIN\Administrators Allow FullControl
         DOMAIN\kieran Allow FullControl
         CREATOR OWNER Allow 268435456

After:

Path   : Microsoft.PowerShell.Core\FileSystem::C:\kk\ps.org\test\
Owner  : DOMAIN\kieran
Group  : DOMAIN\Domain Users
Access : DOMAIN\user1 Allow FullControl
         DOMAIN\user2 Allow Modify, Synchronize
         DOMAIN\user3 Allow ReadAndExecute, Synchronize
         NT AUTHORITY\SYSTEM Allow FullControl
         BUILTIN\Administrators Allow FullControl
         DOMAIN\kieran Allow FullControl
         CREATOR OWNER Allow 268435456

Similarly, you can remove the same permissions we added above by replacing the rule set above with:

$acl1 | foreach { $_.RemoveAccessRuleAll($rule1)}
$acl1 | foreach { $_.RemoveAccessRuleAll($rule2)}
$acl1 | foreach { $_.RemoveAccessRuleAll($rule3)}