I am a relative novice at PowerShell but I feel like I have to share this with the world.
I had a relatively simple problem, essentially remove all write permissions from our company file server without giving everybody read permissions to everything.
It sounds simple enough but I had to search for hours just to find out how to remove only the write permission without having to copy an ACL.
Anyway, here is my script:
$ChildItems = Get-ChildItem -name foreach ($ChildItem in $ChildItems) { $GetAcls = @((get-acl $ChildItem).Access | Select-Object -ExpandProperty IdentityReference) foreach ($GetAcl in $GetAcls) { $colRights = [System.Security.AccessControl.FileSystemRights]"Write" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType =[System.Security.AccessControl.AccessControlType]::Allow $objUser = New-Object System.Security.Principal.NTAccount($GetAcl) $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $objACL = Get-ACL $ChildItem $objACL.RemoveAccessRule($objACE) Set-ACL $ChildItem $objACL } }
As you can see it is a foreach inside of a foreach, one to grab all of the subfolders in a directory or say each user’s folder in a file server share, and the second is to grab the names of the users that currently have permissions to each individual folder.
I started with a small amount of code that can be found at this technet article:
https://technet.microsoft.com/en-us/library/ff730951.aspx
I worked my way from inside-out by adding the ACL foreach which was easy enough and then adding the childitem foreach which I wasted a ton of time on not realizing that get and set ACL do not accept pipeline input. I was over complicating it with $_ since I still have hardly any experience with PowerShell if any.
If you can tidy this up and share it, as I feel it is pretty handy, then be my guest.