Author Posts

March 12, 2017 at 12:58 pm

I needed to create a script that runs from a batch file prompt. The script needs to do the following:
1) prompt for a domain users name to be entered in a text box
2) Copy a template xml file from a template dir to a directory were all the users xml files are accessed.
3) Rename the xml file to the username and specific variables within the xml to that username as well.
4) Create a folder for the user in a separate dir that holds all the user folders. quite similar to home dir for user folders/profiles.

I have accomplished steps 1 though 4 with my attached script. I need help with step 5:

5) set full control of this newly created folder to only the domain\username (and system and domain admins of course)
Basically give the user full rights to their own folder and prevent other users from accessing it.

#copy xml template file to Users config folder
Copy-Item \\path\to\Templates\dir\Templates\TEMPLATE.xml \\path\to\users\xml\dir\Users\


#prompts for username and replaces all variables with inputed name
$folderName = Read-Host -Prompt 'Input folder name' 
#creates a new folder with usersname in user folder dir
new-item “\\path\to\user\folder\dir\$folderName” -type directory 

#text replacement on xml file
$con = Get-Content \\path\to\users\xml\dir\TEMPLATE.xml
$con | % { $_.Replace("END_USER", "$folderName") } | Set-Content \\path\to\users\xml\dir\TEMPLATE.xml-$folderName.xml

#set full control of new folder to domain\username 
\\path\to\user\folder\dir\$folderName

March 12, 2017 at 4:25 pm

You can use the native Get-Acl and Set-Acl cmdlet, but I prefer Rohn Edwards' PowerShellAccessControl module. For example:

$PacOptions = @{ DontAbbreviateAppliesTo = $true }
$FolderPath = "\\path\to\user\folder\dir\$folderName"

Get-Item $FolderPath | Disable-AclInheritance -Force # Removes inherited permissions
Get-Item $FolderPath | Remove-AccessControlEntry -RemoveAllAccessEntries -Apply -Force # Removes explicitly assigned permissions
@('Administrators','System',"$env:USERDOMAIN\$folderName") | % { # Add ACE for each of the 3 listed Principals
    Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights FullControl -Force
}
Get-Item $FolderPath | Get-AccessControlEntry # View folder permissions

March 13, 2017 at 5:56 pm

I attempted to apply your suggesting but received the following errors:

Disable-AclInheritance : The term 'Disable-AclInheritance' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:16 char:24
+ Get-Item $FolderPath | Disable-AclInheritance -Force # Removes inherited permiss ...
+                        ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Disable-AclInheritance:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Remove-AccessControlEntry : The term 'Remove-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:17 char:24
+ Get-Item $FolderPath | Remove-AccessControlEntry -RemoveAllAccessEntries -Apply  ...
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Remove-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:19 char:28
+     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
+                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:19 char:28
+     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
+                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:19 char:28
+     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
+                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Get-AccessControlEntry : The term 'Get-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:21 char:24
+ Get-Item $FolderPath | Get-AccessControlEntry # View folder permissions
+                        ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

March 13, 2017 at 5:58 pm

I tried your suggestion and received the following errors:

Disable-AclInheritance : The term 'Disable-AclInheritance' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:16 char:24
+ Get-Item $FolderPath | Disable-AclInheritance -Force # Removes inherited permiss ...
+                        ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Disable-AclInheritance:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Remove-AccessControlEntry : The term 'Remove-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:17 char:24
+ Get-Item $FolderPath | Remove-AccessControlEntry -RemoveAllAccessEntries -Apply  ...
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Remove-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:19 char:28
+     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
+                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:19 char:28
+     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
+                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Add-AccessControlEntry : The term 'Add-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:19 char:28
+     Get-Item $FolderPath | Add-AccessControlEntry -Principal $_ -FolderRights Fu ...
+                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
Get-AccessControlEntry : The term 'Get-AccessControlEntry' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:21 char:24
+ Get-Item $FolderPath | Get-AccessControlEntry # View folder permissions
+                        ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AccessControlEntry:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

March 13, 2017 at 11:58 pm

So obviously I needed to download the modules from the link you posted — however I prefer to do this with this existing tools.

So I did, however the permissions reflected in powershell with the:

Get-Acl 'path\to\user\folder' | select AccessToString | fl

Show what I wanted, full control for that user.

But If I show the security properties on the folder, the user has been added but with no permissions...?

code I used:

$rule=new-object System.Security.AccessControl.FileSystemAccessRule ("mydomain\$foldername","Read,Write","Allow")
$acl = Get-ACL \\path\to\folder\Users\$foldername
$acl.SetAccessRule($rule)
Set-ACL -Path \\path\to\folder\Users\$folderName -AclObject $acl

March 14, 2017 at 7:55 pm

If you're using the GUI to verify, Read and Write shows up as "Special" in the GUI – which is visible if you scroll down in the list. This is easily missed on the main screen but is visible in the advanced button view.

An alternative way to check with PowerShell is (get-ACL -path \\path\to\folder\Users\$foldername).Access | where-object {$_.IdentityReference -eq "Mydomain\$Foldername}

March 14, 2017 at 10:40 pm

Yes I noticed that..finally.

I ended settling on the following code –

#gives user full control of their folder
$rule=new-object System.Security.AccessControl.FileSystemAccessRule ("domain\$foldername","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl = Get-ACL \\path\to\Users\$foldername
$acl.SetAccessRule($rule)
Set-ACL -Path \\path\to\Users\$folderName -AclObject $acl

the "domainname\domain users" group is corrected by setting this group to "list" only rights at the root level.