Set permssions to domain\user folder

Tagged: 

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of thequicken thequicken 2 months, 2 weeks ago.

  • Author
    Posts
  • #66187
    Profile photo of thequicken
    thequicken
    Participant

    I needed to create a script that runs from a batch file prompt. The script needs to do the following:
    1) prompt for a domain users name to be entered in a text box
    2) Copy a template xml file from a template dir to a directory were all the users xml files are accessed.
    3) Rename the xml file to the username and specific variables within the xml to that username as well.
    4) Create a folder for the user in a separate dir that holds all the user folders. quite similar to home dir for user folders/profiles.

    I have accomplished steps 1 though 4 with my attached script. I need help with step 5:

    5) set full control of this newly created folder to only the domain\username (and system and domain admins of course)
    Basically give the user full rights to their own folder and prevent other users from accessing it.

    #copy xml template file to Users config folder
    Copy-Item \\path\to\Templates\dir\Templates\TEMPLATE.xml \\path\to\users\xml\dir\Users\
    
    
    #prompts for username and replaces all variables with inputed name
    $folderName = Read-Host -Prompt 'Input folder name' 
    #creates a new folder with usersname in user folder dir
    new-item “\\path\to\user\folder\dir\$folderName” -type directory 
    
    #text replacement on xml file
    $con = Get-Content \\path\to\users\xml\dir\TEMPLATE.xml
    $con | % { $_.Replace("END_USER", "$folderName") } | Set-Content \\path\to\users\xml\dir\TEMPLATE.xml-$folderName.xml
    
    #set full control of new folder to domain\username 
    \\path\to\user\folder\dir\$folderName
    
  • #66190
    Profile photo of Sam Boutros
    Sam Boutros
    Participant

    You can use the native Get-Acl and Set-Acl cmdlet, but I prefer Rohn Edwards' PowerShellAccessControl module. For example:

    $PacOptions = @{ DontAbbreviateAppliesTo = $true }
    $FolderPath = "\\path\to\user\folder\dir\$folderName"
    
    Get-Item $FolderPath | Disable-AclInheritance -Force # Removes inherited permissions
    Get-Item $FolderPath | Remove-AccessControlEntry -RemoveAllAccessEntries -Apply -Force # Removes explicitly assigned permissions
    @('Administrators','System',"$env:USERDOMAIN\$folderName") | % { # Add ACE for each of the 3 listed Principals
        Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights FullControl -Force
    }
    Get-Item $FolderPath | Get-AccessControlEntry # View folder permissions
    
    • #66294
      Profile photo of thequicken
      thequicken
      Participant

      I attempted to apply your suggesting but received the following errors:

      Disable-AclInheritance : The term 'Disable-AclInheritance' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At line:16 char:24
      + Get-Item $FolderPath | Disable-AclInheritance -Force # Removes inherited permiss ...
      +                        ~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Disable-AclInheritance:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
       
      Remove-AccessControlEntry : The term 'Remove-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At line:17 char:24
      + Get-Item $FolderPath | Remove-AccessControlEntry -RemoveAllAccessEntries -Apply  ...
      +                        ~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Remove-AccessControlEntry:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
       
      Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At line:19 char:28
      +     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
      +                            ~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
       
      Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At line:19 char:28
      +     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
      +                            ~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
       
      Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At line:19 char:28
      +     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
      +                            ~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
       
      Get-AccessControlEntry : The term 'Get-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At line:21 char:24
      + Get-Item $FolderPath | Get-AccessControlEntry # View folder permissions
      +                        ~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Get-AccessControlEntry:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
      
  • #66297
    Profile photo of thequicken
    thequicken
    Participant

    I tried your suggestion and received the following errors:

    Disable-AclInheritance : The term 'Disable-AclInheritance' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:16 char:24
    + Get-Item $FolderPath | Disable-AclInheritance -Force # Removes inherited permiss ...
    +                        ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Disable-AclInheritance:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    Remove-AccessControlEntry : The term 'Remove-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:17 char:24
    + Get-Item $FolderPath | Remove-AccessControlEntry -RemoveAllAccessEntries -Apply  ...
    +                        ~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Remove-AccessControlEntry:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:19 char:28
    +     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
    +                            ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:19 char:28
    +     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
    +                            ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:19 char:28
    +     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
    +                            ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    Get-AccessControlEntry : The term 'Get-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:21 char:24
    + Get-Item $FolderPath | Get-AccessControlEntry # View folder permissions
    +                        ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Get-AccessControlEntry:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
    
  • #66327
    Profile photo of thequicken
    thequicken
    Participant

    So obviously I needed to download the modules from the link you posted — however I prefer to do this with this existing tools.

    So I did, however the permissions reflected in powershell with the:

    Get-Acl 'path\to\user\folder' | select AccessToString | fl
    

    Show what I wanted, full control for that user.

    But If I show the security properties on the folder, the user has been added but with no permissions...?

    code I used:

    $rule=new-object System.Security.AccessControl.FileSystemAccessRule ("mydomain\$foldername","Read,Write","Allow")
    $acl = Get-ACL \\path\to\folder\Users\$foldername
    $acl.SetAccessRule($rule)
    Set-ACL -Path \\path\to\folder\Users\$folderName -AclObject $acl
    
  • #66399
    Profile photo of Missy Januszko
    Missy Januszko
    Participant

    If you're using the GUI to verify, Read and Write shows up as "Special" in the GUI – which is visible if you scroll down in the list. This is easily missed on the main screen but is visible in the advanced button view.

    An alternative way to check with PowerShell is (get-ACL -path \\path\to\folder\Users\$foldername).Access | where-object {$_.IdentityReference -eq "Mydomain\$Foldername}

  • #66403
    Profile photo of thequicken
    thequicken
    Participant

    Yes I noticed that..finally.

    I ended settling on the following code –

    #gives user full control of their folder
    $rule=new-object System.Security.AccessControl.FileSystemAccessRule ("domain\$foldername","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl = Get-ACL \\path\to\Users\$foldername
    $acl.SetAccessRule($rule)
    Set-ACL -Path \\path\to\Users\$folderName -AclObject $acl
    

    the "domainname\domain users" group is corrected by setting this group to "list" only rights at the root level.

You must be logged in to reply to this topic.