I am a relative novice at PowerShell but I feel like I have to share this with the world.
I had a relatively simple problem, essentially remove all write permissions from our company file server without giving everybody read permissions to everything.
It sounds simple enough but I had to search for hours just to find out how to remove only the write permission without having to copy an ACL.
Anyway, here is my script:
$ChildItems = Get-ChildItem -name
foreach ($ChildItem in $ChildItems) {
$GetAcls = @((get-acl $ChildItem).Access |
Select-Object -ExpandProperty IdentityReference)
foreach ($GetAcl in $GetAcls) {
$colRights = [System.Security.AccessControl.FileSystemRights]"Write"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount($GetAcl)
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL $ChildItem
$objACL.RemoveAccessRule($objACE)
Set-ACL $ChildItem $objACL
}
}
As you can see it is a foreach inside of a foreach, one to grab all of the subfolders in a directory or say each user’s folder in a file server share, and the second is to grab the names of the users that currently have permissions to each individual folder.
I started with a small amount of code that can be found at this technet article:
https://technet.microsoft.com/en-us/library/ff730951.aspx
I worked my way from inside-out by adding the ACL foreach which was easy enough and then adding the childitem foreach which I wasted a ton of time on not realizing that get and set ACL do not accept pipeline input. I was over complicating it with $_ since I still have hardly any experience with PowerShell if any.
If you can tidy this up and share it, as I feel it is pretty handy, then be my guest.