Adding ACE to large directory structure

This topic contains 2 replies, has 2 voices, and was last updated by  John Steele 3 months ago.

  • Author
    Posts
  • #75068

    Joshua
    Participant

    Can someone point me in the right direction?

    I'm trying to create a script that will look at a directory (D:\Public for example), then Get-NTFSAccess (NTFSSecurity module available on technet) on each sub-directory so I can sort out which ones are and are not inheriting permissions from their parent folders. Then I need to Add-NTFSAccess to the sub-directories which returned False for IsInherited. The idea behind this is to run the command "Add-NTFSAccess $folder -account $account -accessrights fullcontrol -appliesto thisfoldersubfoldersandfiles" on the root which will grant the permission to the root and everything inherited down the tree. Then run this script to apply the permissions to the directories that did not originally get the permission via the inheritance. It needs to be separated like this otherwise if you try to apply the permission to all directories and files there will end up being multiple ACEs due to inherited and not inherited settings. This is all theory, but I think that is what will happen. Once the second script works, the whole thing can likely be combined in to one script. Below is where I left off because I was confusing myself and don't have much experience with arrays yet. I think arrays need to be used due to having multiple values that contain various properties that are needed. I think the variables in some areas likely need to be renamed and/or I'm trying to do the tasks in the wrong orders. Any help is appreciated.

    $subfolders = Get-ChildItem2 -Path 'C:\temp2\testacl2' -recurse | Where-Object {$_.Attributes -match 'Directory'} 
    #$subfolderperms = $subfolders | Get-NTFSAccess
    $permissionpath = ()
    
    foreach ($subfolder in $subfolders) 
    { 
    	$subfolderpath = $subfolder.FullName
    
    		$subfolderpathperm = @{
    		}
    
    	$permissionpath +- New-Object psobject -Property $subfolderpathperm
    }
    
    $subfolders | Get-NTFSAccess
    
    foreach ($subfolderperm in $subfolderperms)
    {
    	if ($($subfolderperm_.IsInherited) -eq "False")
    	{
    		# Add-NTFSAccess -path $subfolderperm.fullname -accessrights fullontrol -appliesto thisfoldersubfoldersandfiles
    		write-host "FullControl permission has been granted to 'DOMAIN\File-Local-SERVERNAME-ALL-F' on subfolder $subfolderperm.fullname"
    	}
    }
    
  • #75070

    Joshua
    Participant

    Can someone point me in the right direction?

    I'm trying to create a script that will look at a directory (D:\Public for example), then Get-NTFSAccess (NTFSSecurity module available on technet) on each subdirectory so I can sort out which ones are and are not inheriting permissions from their parent folders. Then I need to Add-NTFSAccess to the subfolders which returned False for IsInherited The idea behind this is to run the command "Add-NTFSAccess $folder -account $account -accessrights fullcontrol -appliesto thisfoldersubfoldersandfiles" on the root which will grant the permission to the root and everything inherited down the tree. Then run this script to apply the permissions to the directories that did not originally get the permission via the inheritence. It needs to be separated like this otherwise if you try to apply the permission to all directories and files there will end up being multiple ACEs due to inheritied and not inherited settings This is all theory, but I think that is what will happen. Once the second script works, the whole thing can likely be combined in to one script. This is where I left off because I was confusing myself and don't have much experience with arrays yet. I think arrays need to be used due to having multiple values that contain various properties that are needed. I think the variables in some areas likely need to be renamed and/or I'm trying to do the tasks in the wrong orders. Any help is appreciated.

    $subfolders = Get-ChildItem2 -Path 'C:\temp2\testacl2' -recurse | Where-Object {$_.Attributes -match 'Directory'} 
    #$subfolderperms = $subfolders | Get-NTFSAccess
    $permissionpath = ()
    
    foreach ($subfolder in $subfolders) 
    { 
    	$subfolderpath = $subfolder.FullName
    
    		$subfolderpathperm = @{
    		}
    
    	$permissionpath +- New-Object psobject -Property $subfolderpathperm
    }
    
    $subfolders | Get-NTFSAccess
    
    foreach ($subfolderperm in $subfolderperms)
    {
    	if ($($subfolderperm_.IsInherited) -eq "False")
    	{
    		# Add-NTFSAccess -path $subfolderperm.fullname -accessrights fullontrol -appliesto thisfoldersubfoldersandfiles
    		write-host "FullControl permission has been granted to 'DOMAIN\File-Local-SERVERNAME-ALL-F' on subfolder $subfolderperm.fullname"
    	}
    }
    
  • #75169

    John Steele
    Participant

    If I understand your problem correctly you are trying to enable inheritance for every child directory.

    Give this a try.

    $path = c:\your\path
    
    Get-ChildItem2 -Path $path -Recurse -Directory | Enable-NTFSAccessInheritance -RemoveExplicitAccessRules
    

    RemoveExplicitAccessRules removes any ACE that is not inherited.

    Also, just like Get-ChildItem, Get-ChildItem2 supports the Directory switch so there is no need for that Where-Object in your first line.

You must be logged in to reply to this topic.