Author Posts

July 28, 2016 at 7:42 pm

I am a relative novice at PowerShell but I feel like I have to share this with the world.

I had a relatively simple problem, essentially remove all write permissions from our company file server without giving everybody read permissions to everything.

It sounds simple enough but I had to search for hours just to find out how to remove only the write permission without having to copy an ACL.

Anyway, here is my script:

$ChildItems = Get-ChildItem -name

foreach ($ChildItem in $ChildItems) {

$GetAcls = @((get-acl $ChildItem).Access | 
                 Select-Object -ExpandProperty IdentityReference)

foreach ($GetAcl in $GetAcls) {

$colRights = [System.Security.AccessControl.FileSystemRights]"Write" 

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow 

$objUser = New-Object System.Security.Principal.NTAccount($GetAcl) 

$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 

$objACL = Get-ACL $ChildItem 
$objACL.RemoveAccessRule($objACE) 

Set-ACL $ChildItem $objACL

}

}

As you can see it is a foreach inside of a foreach, one to grab all of the subfolders in a directory or say each user's folder in a file server share, and the second is to grab the names of the users that currently have permissions to each individual folder.

I started with a small amount of code that can be found at this technet article:
https://technet.microsoft.com/en-us/library/ff730951.aspx

I worked my way from inside-out by adding the ACL foreach which was easy enough and then adding the childitem foreach which I wasted a ton of time on not realizing that get and set ACL do not accept pipeline input. I was over complicating it with $_ since I still have hardly any experience with PowerShell if any.

If you can tidy this up and share it, as I feel it is pretty handy, then be my guest.

July 28, 2016 at 9:50 pm

I managed to simplify it significantly and add the container inherit tag alongside the object inherit. Without it it would give a separate permission for subfolders allowing the user to write. I also threw in removing the delete so because that was the only thing causing it to be a special permission.

Here is the new version:

$ChildItems = Get-ChildItem -name

foreach ($ChildItem in $ChildItems) {

$GetAcls = @((get-acl $ChildItem).Access | 
                 Select-Object -ExpandProperty IdentityReference)

foreach ($GetAcl in $GetAcls) {

$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($GetAcl, "Write, Delete", "ContainerInherit, ObjectInherit", "None", "Allow") 

$objACL = Get-ACL $ChildItem 
$objACL.RemoveAccessRule($objACE) 

Set-ACL $ChildItem $objACL

}

}