Remove Write Permissions Without Giving Everybody Read Permissions to Everything

This topic contains 1 reply, has 1 voice, and was last updated by Profile photo of Jonathan W. Sutherland Jonathan W. Sutherland 4 months, 2 weeks ago.

  • Author
    Posts
  • #48612

    I am a relative novice at PowerShell but I feel like I have to share this with the world.

    I had a relatively simple problem, essentially remove all write permissions from our company file server without giving everybody read permissions to everything.

    It sounds simple enough but I had to search for hours just to find out how to remove only the write permission without having to copy an ACL.

    Anyway, here is my script:

    $ChildItems = Get-ChildItem -name
    
    foreach ($ChildItem in $ChildItems) {
    
    $GetAcls = @((get-acl $ChildItem).Access | 
                     Select-Object -ExpandProperty IdentityReference)
    
    foreach ($GetAcl in $GetAcls) {
    
    $colRights = [System.Security.AccessControl.FileSystemRights]"Write" 
    
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    
    $objType =[System.Security.AccessControl.AccessControlType]::Allow 
    
    $objUser = New-Object System.Security.Principal.NTAccount($GetAcl) 
    
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
    
    $objACL = Get-ACL $ChildItem 
    $objACL.RemoveAccessRule($objACE) 
    
    Set-ACL $ChildItem $objACL
    
    }
    
    }
    

    As you can see it is a foreach inside of a foreach, one to grab all of the subfolders in a directory or say each user's folder in a file server share, and the second is to grab the names of the users that currently have permissions to each individual folder.

    I started with a small amount of code that can be found at this technet article:
    https://technet.microsoft.com/en-us/library/ff730951.aspx

    I worked my way from inside-out by adding the ACL foreach which was easy enough and then adding the childitem foreach which I wasted a ton of time on not realizing that get and set ACL do not accept pipeline input. I was over complicating it with $_ since I still have hardly any experience with PowerShell if any.

    If you can tidy this up and share it, as I feel it is pretty handy, then be my guest.

  • #48640

    I managed to simplify it significantly and add the container inherit tag alongside the object inherit. Without it it would give a separate permission for subfolders allowing the user to write. I also threw in removing the delete so because that was the only thing causing it to be a special permission.

    Here is the new version:

    $ChildItems = Get-ChildItem -name
    
    foreach ($ChildItem in $ChildItems) {
    
    $GetAcls = @((get-acl $ChildItem).Access | 
                     Select-Object -ExpandProperty IdentityReference)
    
    foreach ($GetAcl in $GetAcls) {
    
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($GetAcl, "Write, Delete", "ContainerInherit, ObjectInherit", "None", "Allow") 
    
    $objACL = Get-ACL $ChildItem 
    $objACL.RemoveAccessRule($objACE) 
    
    Set-ACL $ChildItem $objACL
    
    }
    
    }

You must be logged in to reply to this topic.