Hi! I am new to Powershell and hope to learn from all you experienced scripters out there.
We have shared folders hosting across many file servers to users. Users have more than read permissions so they disabled the inheritance from root shared folders and created many subfolders and files and assigned other users and permissions on their own so now layers of subfolders running all sort of different users and either Modify or full control permissions. My goal is to stop all USERS from creating/saving new files to these shared folders.
Here is my question → How can I lock these share folders down by allowing all users/groups “Read” only permissions and still keep the users/groups intact where they are but they can read only to whatever shared to them?
(If there is a PS Script can even do 1 shared folder at a time I am happy)
The way you describe your situation sounds like you may want to change your general approach of managing permissions on file shares.
I’d highly recommend considering simplifying the permissions you grant. I my experience a very commonly used approach is to only grant permissions to groups - never to users. This way you don’t have to touch the files and folders anymore at all. You can add or remove user accounts to or from groups. You could even delegate this task to some managers or group leaders.
The next recommendation would be not to grant (special/different) permissions (to groups) deeper than the second level.
Of course you have to involve “the business” into this change - you cannot do this only by yourself but it would make your life way easier for the future and would help maintaining a stable service over time.
Deny permissions win versus allow, you could simply to a Deny Write to everyone, then people can read it via their usual permissions and no one can write to it. You could also use a group to apply to all but a few admins.
your recommendation approach is spot on and I am with you on that. I recently joined the team and was assigned to tackle this out of control delimas. The only way I am thinking to handle this is to stop all the users/groups across the aisles all permissions except for “Read” only and doing this via a PS script. please let me know if you can assist with getting a script started.
Great idea, I was reading online and someone suggested the same unfortunately I still haven’t found any sample scripts out there that can help related to my case.
