Search for folders and change ACL

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Nigel cadzow Nigel cadzow 1 year, 11 months ago.

  • Author
    Posts
  • #24238
    Profile photo of Nigel cadzow
    Nigel cadzow
    Participant

    Hi,
    What I am trying to do, is start from a folder down in the directory structure, "\\server101\e$\data\groups\property\folder1\aa subfolder\".
    From this point I need to recursively search subfolders until I match folder names, like "1.subfolder, 2.subfolder", the names are fixed and known, there will be multiple instances of each. When I find a match, I need to add an AD group into the ACL, with read, write, modify access.
    So if I do
    Set-Location "\\server01\e$\data\groups\property\storedev\aa brands\it test folder"
    get-childitem -Recurse -filter "1.subfolder" | get-acl
    I can get the ACL, and I can do something like this, which mostly works, to add a group to a known directory

    $folder = "C:\temp"
    #$myGroup = "domain\ADgroup"
    $acl = Get-Acl $folder
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "ReadData", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "AppendData", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    Set-Acl $folder $acl

    But I don't know how to run the second operation on the results of the first. Should I use the first operation to populate an array, then do a "for-each" ? Can I export the acl of a folder that has the correct groups and apply that to the subsequent folders?
    Any ideas?
    Thanks!

  • #24245
    Profile photo of David DeHerrera
    David DeHerrera
    Participant

    Something like this might work.

    $Location = "\\server01\e$\data\groups\property\storedev\aa brands\it test folder"
    If($FolderPath = Get-ChildItem -Path $Location -Recurse -filter "1.subfolder" -ErrorAction SilentlyContinue)
    {
        $Folder = $FolderPath.FullName
        #$myGroup = "domain\ADgroup"
        $acl = Get-Acl $folder
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "ReadData", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "AppendData", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        Set-Acl $folder $acl
    }
    ElseIf($FolderPath = Get-ChildItem -Path $Location -Recurse -filter "2.subfolder" -ErrorAction SilentlyContinue)
    {
        $Folder = $FolderPath.FullName
        #$myGroup = "domain\ADgroup"
        $acl = Get-Acl $folder
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "ReadData", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("justgroup\leaseleg", "AppendData", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        Set-Acl $folder $acl
    }
    
  • #24314
    Profile photo of Nigel cadzow
    Nigel cadzow
    Participant

    Hi David, Thanks, unfortunately I am still getting this error:

    Set-Acl : AclObject
    At line:14 char:5
    + Set-Acl $folder $acl
    + ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (System.Object[]:Object[]) [Set-Acl], ArgumentException
    + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

    That doesn't happen when I run it on a local folder, like c:\temp.
    I am running this script in an ISE session that is running under domain admin credentials, so it shouldn't be a permission issue, as far as I can see.
    Do you think I should be invoking the script to run as a local session on the remote server?

You must be logged in to reply to this topic.