Here is a set of simple functions for basic management of directory permissions or Access Control Lists. <\/p>\n\n\n\n
when setting up file shares I tend to it in very few unique steps. Break inheritance while keeping ACLs, Add\/Remove\/Modify users or groups. So I have 4 powershell functions to simply complete these tasks.<\/p>\n\n\n
\nfunction acl-Disableinheritance\n{\n [CmdletBinding()]\n param\n (\n [Parameter(Mandatory = $true)] [ValidateScript({test-path $_})][string]$PathName\n\n )\n\n # get ACLs\n $FolderACL = Get-Acl $PathName\n\n # protect the acls from inheritace (break inheritace) , allow ACLs to inherit down.\n $FolderACL.SetAccessRuleProtection($true,$true)\n\n # write new ACL object back to directory\n Set-Acl $PathName -AclObject $FolderACL\n if ($?)\n {\n return $true\n }else{\n return $false\n }\n}\n\n\nfunction acl-RemoveItem\n{\n [CmdletBinding()]\n param\n (\n [Parameter(Mandatory = $true)] [ValidateScript({test-path $_})][string]$PathName,\n [Parameter(Mandatory = $true)] [string]$UserOrGroup\n\n )\n\n # get ACLs\n $FolderACL = Get-Acl $PathName\n\n # loop through each User (or Group) called access rules and make $AccessRuleToDelete the the rule to delate.\n foreach ($AccessRule in $FolderACL.access)\n {\n if ($AccessRule.IdentityReference -eq $UserOrGroup)\n {\n $AccessRuleToDelete = $AccessRule\n }\n }\n\n # check the rule to delete exists\n if ($AccessRuleToDelete)\n {\n # remove the access rule from the directory ACL object\n $FolderACL.RemoveAccessRule($AccessRuleToDelete)\n\n # write new ACL object back to directory\n Set-Acl $PathName -AclObject $FolderACL\n return $true\n }else{\n write-host "$UserOrGroup not found" -ForegroundColor Red\n return $false\n }\n}\n\nfunction acl-AddItem\n{\n [CmdletBinding()]\n param\n (\n [Parameter(Mandatory = $true)] [ValidateScript({test-path $_})][string]$PathName,\n [Parameter(Mandatory = $true)] [string]$UserOrGroup,\n [Parameter(Mandatory = $true)] [ValidateSet("FullControl","Modify","ReadAndExecute")][string]$Permission\n\n )\n\n # get ACLs\n $FolderACL = Get-Acl $PathName\n\n # create new access rule object\n $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserOrGroup,$Permission,'ContainerInherit,ObjectInherit','None','Allow')\n\n # add new access rule object to the directory ACL object\n $FolderACL.SetAccessRule($AccessRule)\n if ($?)\n {\n # write new ACL object back to directory\n Set-Acl $PathName -AclObject $FolderACL\n if ($?){return $true}\n\n }else{\n Write-Host "User or Group $UserOrGroup not found!" -ForegroundColor Red\n return $false\n }\n}\n\nfunction acl-getItem\n{\n [CmdletBinding()]\n param\n (\n [Parameter(Mandatory = $true)] [ValidateScript({test-path $_})][string]$PathName,\n [switch]$ShowSync\n )\n\n # get ACLs\n $FolderACL = Get-Acl $PathName\n\n $Result = @()\n\n # loop though each access rule and make a nice simple array\n foreach ($AccessRule in $FolderACL.access)\n {\n $tmpObj = '' | select UserOrGroup , Permission , IsInherited\n $tmpObj.UserOrGroup = $AccessRule.IdentityReference\n if ($ShowSync)\n {\n $tmpObj.Permission = $AccessRule.FileSystemRights\n }else{\n # remove the Synchronize ACL from the list as its normaly hidden.\n [string]$RawPerm = $AccessRule.FileSystemRights\n $PermArray = $RawPerm.Split(',')\n $NewPermArray = $PermArray | where {$_ -notmatch "Synchronize"}\n $tmpObj.Permission = $NewPermArray\n }\n\n $tmpObj.IsInherited = $AccessRule.IsInherited\n $Result += $tmpObj\n }\n if ($Result)\n {\n return $Result\n }else{\n return $null\n }\n}\n\n<\/pre><\/div>\n\n\nPut those functions at the start of your program and you will have the following functions<\/p>\n\n\n\n
To keep these functions simple, there is no ownership function or any way to set granular permissions or set denys.<\/p>\n\n\n\n
The functions will return $true if successful (with the exception of acl-getItem that will return an array) and $false if the function fails.<\/p>\n\n\n\n
To quickly permission up a simple shared file store with the following directory structure.<\/p>\n\n\n\n
\\nas01\\cifs
\\nas01\\cifs\\sales
\\nas01\\cifs\\marketing
\\nas01\\cifs\\IT<\/p>\n\n\n\n
I would call the functions as follows.<\/p>\n\n\n
\nacl-RemoveItem -PathName "\\\\nas01\\cifs" -UserOrGroup "Everyone"\n\nacl-Disableinheritance -PathName "\\\\nas01\\cifs\\sales"\nacl-AddItem -PathName "\\\\nas01\\cifs\\sales" -UserOrGroup "domain\\ACL-Sales-R" -Permission ReadAndExecute\nacl-AddItem -PathName "\\\\nas01\\cifs\\sales" -UserOrGroup "domain\\ACL-Sales-RW" -Permission Modify\n\nacl-Disableinheritance -PathName "\\\\nas01\\cifs\\marketing"\nacl-AddItem -PathName "\\\\nas01\\cifs\\marketing" -UserOrGroup "domain\\ACL-marketing-R" -Permission ReadAndExecute\nacl-AddItem -PathName "\\\\nas01\\cifs\\marketing" -UserOrGroup "domain\\ACL-marketing-RW" -Permission Modify\n\n\nacl-Disableinheritance -PathName "\\\\nas01\\cifs\\IT"\nacl-AddItem -PathName "\\\\nas01\\cifs\\IT" -UserOrGroup "domain\\ACL-IT-R" -Permission ReadAndExecute\nacl-AddItem -PathName "\\\\nas01\\cifs\\IT" -UserOrGroup "domain\\ACL-IT-RW" -Permission Modify\nacl-AddItem -PathName "\\\\nas01\\cifs\\IT" -UserOrGroup "domain\\ACL-IT-Admin" -Permission FullControl\n<\/pre><\/div>\n\n\nThere you go, a quick and easy way to apply ACLs. <\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Here is a set of simple functions for basic management of directory permissions or Access Control Lists. when setting up file shares I tend to it in very few unique steps. Break inheritance while keeping ACLs, Add\/Remove\/Modify users or groups. So I have 4 powershell functions to simply complete these tasks. Put those functions at…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[39,42,41,17,40],"class_list":["post-264","post","type-post","status-publish","format-standard","hentry","category-powershell","tag-acl","tag-directory","tag-folder","tag-function","tag-permissions"],"_links":{"self":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts\/264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=264"}],"version-history":[{"count":6,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts\/264\/revisions"}],"predecessor-version":[{"id":270,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts\/264\/revisions\/270"}],"wp:attachment":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}