Modifying Permission of folders and sub folders

Welcome Forums General PowerShell Q&A Modifying Permission of folders and sub folders

Viewing 2 reply threads
  • Author
    Posts
    • #243347
      Participant
      Topics: 5
      Replies: 6
      Points: 55
      Rank: Member

      Hello, and thanks in advance.

       

      We have the below script that seems to be doing what we want it to do, however not applying permission to subfolders and files, we need to :

      1. take ownership of a home folder
      2. add a user (SVC_Account) read only permission to that folder and subfolders
      3. give ownership back to the original user.

      so far point 1 and 3 are sucessful however we only seem to be able to access to the folder we have changed permission on, and not files or child folder wiithin there?

       

      Could you assist please?

      ps1 script below:

      *****************************************************************

      #v1.0
      #run as administrator and as Domain Admin
      #Script requires Active Directory and NTFSSecurity powershell modules
      #todo
      #acl change for directories we need to take ownership of

      clear
      #$ErrorActionPreference = "silentlycontinue"

      cd c:\Scripts\HomedirACL
      ipmo activedirectory
      ipmo NTFSSecurity

      $userList="exeit5.txt" #plaintext list of user account in scope
      $server = "MCRFS02" #set this to the CIFS server the homedirs are on - MCRFS02?
      $root="z:\home\" #map the root of the homedir share to Z:\ (\\mcrfs02\isadhomes01$ etc)
      $serviceAccount="ISAD\svc_account" #service account to add to ACL
      $timeStamp = get-date -Format "yyyyMMddHHmmss" #timestape to use on logfiles
      $outputLog = "logs\output_$timeStamp.log" #general output log file
      $orphanedprofilesLog = "logs\orphanedprofiles_$timeStamp.log" #profiles that do not have a corresponding AD account
      $errorLog = "logs\error_$timeStamp.log" #error logfile
      $successLog = "logs\success_$timeStamp.log" #success logfile

      function Check-ConnectedUser($profile) {
      #check if users have an active SMB session on $server, return true of false

      $activeUsers = @()

      $shares = [ADSI]"WinNT://$server/lanmanserver" #get shares in SMB server
      $shares.psbase.children | select @{n="ShareName";e={$_.properties.name}},@{n="LocalPath";e={$_.properties.path}}

      $shares.Invoke("Resources") | foreach {
      $activeUsers+= $_.GetType().InvokeMember("User", 'GetProperty', $null, $_, $null) #get active sessions
      }

      $activeUsers = $activeUsers | select -Unique #reduce list down to unique entries as accounts can be listed more than once
      write-host $activeUsers

      if ($activeUsers -match $profile) {
      Write-Host $true
      return $true
      }
      else {
      Write-Host $false
      return $false
      }
      }

      function Test-ACL($profilePath) {
      #test if $serviceAccount is on the users U: drive, return true of false
      $testAcl = Get-NTFSAccess $profilePath

      if ($testAcl.account -contains $serviceAccount) {
      #Write-Host $true
      return $true
      }
      else {
      #Write-Host $false
      return $false
      }

      }

      #Main loop
      #Loop through profiles in $userList and cross reference against AD. if the AD account exists, perform actions
      enable-Privileges
      $profiles = Get-content $userList
      $totalProfiles = $profiles.Count
      $output = "$totalProfiles profiles in total"
      write-host $output

      foreach ($profile in $profiles) {
      #test if user exists in AD and skip if they don't
      $User = $null
      $User = Get-ADUser -Identity $profile -ErrorAction SilentlyContinue
      If ($User -eq $Null) {
      $output = "$profile does not exist in AD. Skipping`n"&lt;/code&gt;<br />&lt;code&gt;write-host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$orphanedprofilesLog -append&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;</p><p>&lt;code&gt;Else {&lt;/code&gt;</p><p>&lt;code&gt;$profilePath = $root + $profile #build homedir path&lt;/code&gt;<br />&lt;code&gt;$profilePathTest = $root + $profile + '\*' #build homedir path for ACL test&lt;/code&gt;<br />&lt;code&gt;#test if user exists in the currently mapped ISADHomes share and skip if they don't&lt;/code&gt;<br />&lt;code&gt;if (Test-Path $profilePath){&lt;/code&gt;<br />&lt;code&gt;#test if we can access their home directory, if we can then add the service account. if we cannot then take ownership and reapply the ACL&lt;/code&gt;</p><p>&lt;code&gt;If (Test-Path $profilePathTest) {&lt;/code&gt;</p><p>&lt;code&gt;$output = "$profile found in AD, $profilePath access successful. Adding $serviceAccount to ACL"&lt;/code&gt;<br />&lt;code&gt;write-host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;</p><p>&lt;code&gt;Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute&lt;/code&gt;</p><p>&lt;code&gt;If (Test-ACL $profilePath) {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile permission change completed `n"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      $output |out-file -FilePath .\$successLog -append
      }
      else {
      $output = "$profile permission change failed `n"&lt;/code&gt;<br />&lt;code&gt;Write-Host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$errorLog -append&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;}&lt;/code&gt;</p><p>&lt;code&gt;else {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile found in AD, $profilePath access Failed"&lt;/code&gt;</p><p>&lt;code&gt;write-host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;</p><p>&lt;code&gt;$isUserConnected = Check-ConnectedUser($profile)&lt;/code&gt;<br />&lt;code&gt;#test if user has an active SMB session on $server and skip if they do&lt;/code&gt;<br />&lt;code&gt;if ($isUserConnected -eq $true) {&lt;/code&gt;</p><p>&lt;code&gt;$output = "$profile is connected to their U: drive. Skipping`n"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      $output |out-file -FilePath .\$errorLog -append

      }
      else {
      #no active session so take ownership and reapply ACL
      $output = "$profile is not connected to their U: drive. Taking ownership of $profilePath (This part of the script is commented out as its untested)"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      # Set-NTFSOwner $profile -Account 'ISAD\Domain Admins' -whatif

      $output = "re-adding ACL to $profilePath"
      write-Host $output
      $output |out-file -FilePath .\$outputLog -append

      #Add-NTFSAccess -path $profilePath -Account 'ISAD\Domain Admins' -AccessRights FullControl
      #Add-NTFSAccess -path $profilePath -Account $profile -AccessRights FullControl
      #Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute

      If (Test-ACL $profilePath) {
      $output = "$profile permission change completed (or it will be when uncommented and tested...)`n"&lt;/code&gt;<br />&lt;code&gt;Write-Host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$successLog -append&lt;/code&gt;<br />&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;else {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile permission change failed `n"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      $output |out-file -FilePath .\$errorLog -append

      }

      $output = "$profile complete `n"&lt;/code&gt;<br />&lt;code&gt;Write-Host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;#add section to check if user is connected, take ownership and blat correct acl&lt;/code&gt;<br />&lt;code&gt;}&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;else {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile does not exist in $root. Skipping`n"
      write-host $output
      $output |out-file -FilePath .\$errorLog -append
      }
      }
      Read-Host 'Press Enter to continue…' | Out-Null
      }

      disable-Privileges

      **************************************************************************************

      Thanks

       

       

       

    • #243362
      Participant
      Topics: 7
      Replies: 2458
      Points: 6,439
      Helping Hand
      Rank: Community MVP

      James

      When you post code, error messages, sample data or console output format it as code, please.
      In the “Text” view you can use the code tags “CODE“, in the “Visual” view you can use the format template “Preformatted“. You can go back edit your post and fix the formatting – you don’t have to create a new one.
      Thanks in advance.

    • #246267
      Participant
      Topics: 5
      Replies: 6
      Points: 55
      Rank: Member

      so I have ammended this and tried this script below, however this only seems to go five child folder down from root, I would like it to continue recurisvly throughout the whole of the child folders ammending the permissions

       

      code:

      $folders = "\\server\home\test"
      $serviceAccount = "isad\svc_test"
      $childfolders = Get-ChildItem -Path $folders -Force
      $grandchildfolders = Get-ChildItem -Path $childfolders -Force
      $greatgrandchildfolders = Get-ChildItem -Path $grandchildfolders -Force
      $2greatgrandchildfolders = Get-ChildItem -Path $greatgrandchildfolders -Force

      Add-NTFSAccess -Account $serviceAccount -path $folders -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

      $childfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

      $grandchildfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

      $greatgrandchildfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

      $2greatgrandchildfolders | Add-NTFSAccess -Account $serviceAccount -AccessRights FullControl -AppliesTo ThisFolderSubfoldersAndFiles

       

      could you please assist in finding a way for this to ammend permissions on all child folders and files

       

Viewing 2 reply threads
  • You must be logged in to reply to this topic.