Author Posts

July 2, 2015 at 2:52 pm

Hi, I was given a task yesterday to create a bunch of folders according to organizational structure (name of folder is the same as OU, inside root folder d:\agreements) of my company and give NTFS permissions on these folders only to some people in these OUs. I retrieved all unique departments from AD and created all these folders. Now I want to automate setting NTFS permissions as much as possible. Creating security groups in AD (containing particular users from particular OU) which are mapped to these OU is the most obvious way to solve this – put these two columns (OU and AD Group) into .csv file and loops through it, giving NTFS perms to AD group.

My question is: how would I solve this if I have to give perms to multiple users per folder, not group. I know .csv file is flat file so I assume I could not have .csv file as input file (looping through multiple values in one column is not possible or is it?)? Xml file might be the answer but making it is not user friendly at all.

Shortly speaking: input for processing has to contain folder names and list of users (array) who have access to these folders.

folder1 user1,user2,user3
folder2 user4,user5,user6
.......... ...........................

July 2, 2015 at 11:58 pm

You can import csv and manually split second column into individual users. code will looks like

import-csv [...] | foreach-object{
$folder = $_.Folder
$users = $_.Users -split ','
Apply-Permissions -folder $folder -Users $users
}

and you can goole for taking a look at last winter scripting games. there was a task exactly as you need (only exception is group permissions, not individual users)

scriptinggames.org seems broken login to me, may be it only my problem 🙁

July 3, 2015 at 12:08 am

. ^^what I was about to say but he beat me to it 🙂

July 3, 2015 at 12:50 am

I did the job with .xml file. It is not too complicated, the most boring part is to populate all elements and attributes.

July 15, 2015 at 7:36 am

Hi,

How would I go about assigning permissions to each user per their folder. I have the following which pulls userids from text file and then goes through a foreach loop creating a folder with that users id.

===============
$Users = Get-Content "path of the text file"

foreach ($User in $Users)

{
$newPath = Join-Path "path of where the folder should be created" -childpath $User
New-Item $newPath -type directory
}
================

If I add the following to also give the user permission to that folder:

================
{
$newPath = Join-Path "path of where the folder should be created" -childpath $User
New-Item $newPath -type directory

$acl = Get-Acl $newpath
$permission = "domain\$user","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}

====================

It assigns the user to a folder but then assigns them full permission as "special" which I don't want. I want to click on the security tab and see the following selected:

modify, read & execute, list of folders contents, read, write and that is it. I also want it to inherit those permissions into any sub folders that are created.

I tried removing the following: $permission = "domain\$user","FullControl","Allow" and swapping it out with modify, read, write but that just fails.

Any thoughts?

Thank you,
-Luke

July 15, 2015 at 10:23 pm

If you want to have inheritance, You should use another AccessRule Constructor, with Inheritance and Propagation flags.
https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx

special permissions you get because of lack inheritance
$permission = "domain\$user",",'FullControl','ObjectInherit,ContainerInherit','None','Allow'

July 20, 2015 at 1:10 pm

Thank you Max. I will look into it.

July 22, 2015 at 7:21 am

If anyone is trying to solve the same issue here it is the script.

========================
$Users = Get-Content "location of text file to import data from"

foreach ($User in $Users)

{
$newPath = Join-Path "location where to create folders" -childpath $User
New-Item $newPath -type directory

$acl = Get-Acl $newpath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("domain\$User","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$acl | Set-Acl $newpath
Set-NTFSOwner -Account alxn\$User -Path $newpath
}

What the above does is grabs the userids from a text file and then goes into a foreach creating folders with those user ids. It' gives the user of the folder modify permissions and makes them the owner.