Setting ACL's on Top Three Level Folders

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Jason Jason 1 day, 22 hours ago.

  • Author
    Posts
  • #58747
    Profile photo of Jason
    Jason
    Participant

    Hello,

    I am new to the forum and Powershell as well. Longtime Windows admin but slowly getting deeper into doing more with Powershell and hoping to get some pointers on how to accomplish more with Powershell.

    Currently I am trying to create a script that will set the ACL permissions on the top three levels of a project directory every time we create a new project. I was able to figure out how to select the top three directories in a project by using the Get-Child -Recurse -Depth 3 command. I also think I have the correct routine for applying multiple ACL's to a folder but I am looking to figure out how to bring them together.

    Here is what I have written so far:

    Get-ChildItem -Path C:\Data\Projects\PRJ01 -Recurse -Depth 3
    ?
    ?
    $ProjectFolders = ?
    foreach ($ProjectFolder in $ProjectFolders) {
        $acl = Get-Acl $ProjectFolder
        $acl.SetAccessRuleProtection($True, $False)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Executive”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
        $acl.AddAccessRule($rule)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Staff”,”Read”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
        $acl.AddAccessRule($rule)
        Set-Acl F:Folder $acl
    }

    The -Depth parameter in PS5 is really useful here. Any comments or criticisms are welcome!

  • #58777
    Profile photo of Daan Weda
    Daan Weda
    Participant

    It depends if you want the script to be authoritative or cloning one of your already configured folders is also good enough.
    Then you could just clone the ACL from there to your new folders like this:

    $ProjectFolders = Get-ChildItem -Path C:\Data\Projects\PRJ01 -Recurse -Depth 3 -Directory
    Get-Acl -Path 'path to ACL Source Folder'|Set-Acl $ProjectFolders.fullname

    I added the -directory parameter so you only get folders and not files as always please test the code first.
    If you want more information what your options are then I recommend this video: https://www.youtube.com/watch?v=B6AsgImJ4xk
    If the script needs to be authoritative I think you have to adjust the script because I don't think your code is working now.
    Maybe for your scenario DSC is something you should look into as well.

  • #59052
    Profile photo of Jason
    Jason
    Participant

    Hello Daan,

    Thanks so much for your suggestion on this. I really like the idea of keeping a template that we can adjust and then apply those settings to the project folders. I set up a test using the code you suggested and it was successful in setting the ACL's on the top three folders but it applied the same ACL to all the folders underneath of the top 3 as well. In the Template folder I am giving STAFF read and execute permissions and EXECUTIVE read and write permissions, at the 4th level both STAFF and EXECUTIVE should have read and write. In the test the 4th level folder of the folder getting the ACL's was set using the same ACL as the above folders and not what was set in the Template.

    Is there a way I can have the destination folders mimic exactly the permissions we set in the Template folder?

    Thanks again!

    Jason

You must be logged in to reply to this topic.