Give access to folder, its subfolders and all files to a user/group in Windows

Welcome Forums General PowerShell Q&A Give access to folder, its subfolders and all files to a user/group in Windows

Viewing 4 reply threads
  • Author
    Posts
    • #193907
      Participant
      Topics: 8
      Replies: 16
      Points: 16
      Rank: Member

      Hi,

      I need to give read/execute and modify permissions to a user or group on a folder like:

      F:\Data\MSSQL\MSSQL11.MyInst

      and include all of its subfolders and files.

      I need to do it using Powershell script.

      Any ideas?

      Thanks.

    • #193922
      Participant
      Topics: 0
      Replies: 28
      Points: 142
      Helping Hand
      Rank: Participant

      Below script block will give you an idea. Replace the necessory values and also if your subfolder are set to inherit the permission, you don't need to set the same to subfoders.

      $folder = 'F:\Data\MSSQL\MSSQL11.MyInst'
      $ACL = Get-Acl $folder
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","Fullcontrol","Allow")
      $ACL.SetAccessRule($AccessRule)
      Set-Acl $folder $AccessRule
      
    • #193931
      Participant
      Topics: 8
      Replies: 16
      Points: 16
      Rank: Member

      Did not work:

      PS D:\MyFolder>
      PS D:\MyFolder> $folder = 'E:\Folder1'
      PS D:\MyFolder> $ACL = Get-Acl $folder
      >>
      PS D:\MyFolder> $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators
      ","Fullcontrol","Allow")
      >>
      PS D:\MyFolder> $ACL.SetAccessRule($AccessRule)
      >>
      PS D:\MyFolder> Set-Acl $folder $AccessRule
      >>
      Set-Acl : AclObject
      At line:1 char:1
      + Set-Acl $folder $AccessRule
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidArgument: (System.Security...ystemAccessRule:FileSystemAccessRule) [Set-Acl], Arg
      umentException
      + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

    • #193949
      Participant
      Topics: 4
      Replies: 105
      Points: 249
      Helping Hand
      Rank: Participant

      I've used something similar to this in my functions.

      $FolderPath = "E:\Folder1"
      $Group = "users"
      
      $Acl = Get-Acl $FolderPath
      $AccessRule = New-Object system.security.accesscontrol.filesystemaccessrule($Group,"Modify",”ContainerInherit,ObjectInherit”,”None”,"Allow")
      $Acl.SetAccessRule($AccessRule)
      Set-Acl -Path $FolderPath -AclObject $Acl -confirm:$false -Passthru

      New Access rule looks like this:

      FileSystemRights : Modify, Synchronize
      AccessControlType : Allow
      IdentityReference : users
      IsInherited : False
      InheritanceFlags : ContainerInherit, ObjectInherit
      PropagationFlags : None

       

       

    • #194000
      Participant
      Topics: 9
      Replies: 25
      Points: 152
      Helping Hand
      Rank: Participant

      Here's a function I wrote a lifetime ago, it should do what you're after:

      Function Change-ACL
      {
      <#
      .SYNOPSIS
      This function will add or remove an ACE to the ACL for a directory.

      .DESCRIPTION
      This function will add or remov e an ACE to the ACL for a directory.

      .PARAMETER Directory
      This is the directory you will add/remove an ACE for.

      .PARAMETER UserNames
      These are the UserNames of the user(s) you want to change permissions for.

      .PARAMETER AccessLevel
      This is the level of accesss you want to grant for the user(s). If you are removing perissions, all inherited levels are removed

      .PARAMETER Add
      This switch specifies whether to add the permissions specified in the AccessLevel Parameter

      .PARAMETER Remove
      This switch specifies whether to remove the user's permissions

      .INPUTS
      None

      .OUTPUTS
      None

      .NOTES
      Version: 1.2
      Author: Lars Panzerbjrn
      Creation Date: 2017.11.01
      Purpose/Change: Initial script development
      Changed 2019.02.25 LP: Changed function to also Remove permissions; implemented Parameter Sets

      .EXAMPLE
      Change-ACL -Directory "\\lonfs1\InfServices\Sec\SecOps" -UserNames Panzerbjrn_L_a -AccessLevel Write -Add

      This will give the user Panzerbjrn_L_a access to write to the directory.

      .EXAMPLE
      Change-ACL -Directory "\\lonfs1\InfServices\Sec\SecOps" -UserNames Panzerbjrn_L_a -Remove

      This will remove the user Panzerbjrn_L_a from the ACL for the directory.
      #>
      [CmdletBinding(PositionalBinding=$false)]
      Param(
      [Parameter(Mandatory=$True,ParameterSetName="Add")]
      [Parameter(Mandatory=$True,ParameterSetName="Remove")]
      [string[]]$UserNames,

      [Parameter(Mandatory=$True,ParameterSetName="Add")]
      [Parameter(Mandatory=$True,ParameterSetName="Remove")]
      [string]$Directory,

      [Parameter(Mandatory=$True,ParameterSetName="Add")]
      [ValidateSet("ListDirectory","ReadData","WriteData","CreateFiles","CreateDirectories","AppendData","ReadExtendedAttributes","WriteExtendedAttributes","Traverse","ExecuteFile","DeleteSubdirectoriesAndFiles","ReadAttributes,WriteAttributes","Write","Delete","ReadPermissions","Read","ReadAndExecute","Modify","ChangePermissions","TakeOwnership","Synchronize","FullControl")]
      [String[]]$AccessLevel,

      [Parameter(Mandatory=$False,ParameterSetName="Add")]
      [switch]$Add,

      [Parameter(Mandatory=$False,ParameterSetName="Remove")]
      [switch]$Remove
      )
      $Path = $Directory
      $TestedPath = Test-Path $Path
      IF($TestedPath -eq $False) {Write-Verbose "$($Path) Doesn't exist; thank you please come again";break}
      $ACL = (Get-Item $Path).GetAccessControl('Access')

      ForEach ($UserName in $UserNames)
      {
      $USR = Get-ADUser -Filter {SamAccountName -like $UserName} -Properties *
      $Usrname = "BDS\"+$USR.SamaccountName
      $Inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
      $Propagation = [system.security.accesscontrol.PropagationFlags]"None"
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Usrname, $AccessLevel, $Inherit, $Propagation, "Allow")
      IF($Add){$ACL.AddAccessRule($AccessRule)}
      IF($Remove){$ACL.RemoveAccessRuleAll($AccessRule)}
      }
      IF(($Add) -OR ($Remove)) {Set-Acl -path $Path -AclObject $Acl}
      ELSE {Write-Verbose "No Add or Remove action was specified"}
      }

      BUT, do your self a huge favour, and use groups to delegate access, *not* direct access by adding users to the ACL for folders/files/drives...

Viewing 4 reply threads
  • You must be logged in to reply to this topic.