Setting NTFS permissions from file input

This topic contains 7 replies, has 4 voices, and was last updated by Profile photo of Lukasz Piotrowicz Lukasz Piotrowicz 1 year, 10 months ago.

  • Author
    Posts
  • #27081
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    Hi, I was given a task yesterday to create a bunch of folders according to organizational structure (name of folder is the same as OU, inside root folder d:\agreements) of my company and give NTFS permissions on these folders only to some people in these OUs. I retrieved all unique departments from AD and created all these folders. Now I want to automate setting NTFS permissions as much as possible. Creating security groups in AD (containing particular users from particular OU) which are mapped to these OU is the most obvious way to solve this – put these two columns (OU and AD Group) into .csv file and loops through it, giving NTFS perms to AD group.

    My question is: how would I solve this if I have to give perms to multiple users per folder, not group. I know .csv file is flat file so I assume I could not have .csv file as input file (looping through multiple values in one column is not possible or is it?)? Xml file might be the answer but making it is not user friendly at all.

    Shortly speaking: input for processing has to contain folder names and list of users (array) who have access to these folders.

    folder1 user1,user2,user3
    folder2 user4,user5,user6
    .......... ...........................

  • #27088
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    You can import csv and manually split second column into individual users. code will looks like

    import-csv [...] | foreach-object{
    $folder = $_.Folder
    $users = $_.Users -split ','
    Apply-Permissions -folder $folder -Users $users
    }

    and you can goole for taking a look at last winter scripting games. there was a task exactly as you need (only exception is group permissions, not individual users)

    scriptinggames.org seems broken login to me, may be it only my problem 🙁

  • #27089
    Profile photo of Auke Daane
    Auke Daane
    Member

    . ^^what I was about to say but he beat me to it 🙂

  • #27093
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    I did the job with .xml file. It is not too complicated, the most boring part is to populate all elements and attributes.

  • #27528
    Profile photo of Lukasz Piotrowicz
    Lukasz Piotrowicz
    Participant

    Hi,

    How would I go about assigning permissions to each user per their folder. I have the following which pulls userids from text file and then goes through a foreach loop creating a folder with that users id.

    ===============
    $Users = Get-Content "path of the text file"

    foreach ($User in $Users)

    {
    $newPath = Join-Path "path of where the folder should be created" -childpath $User
    New-Item $newPath -type directory
    }
    ================

    If I add the following to also give the user permission to that folder:

    ================
    {
    $newPath = Join-Path "path of where the folder should be created" -childpath $User
    New-Item $newPath -type directory

    $acl = Get-Acl $newpath
    $permission = "domain\$user","FullControl","Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($accessRule)
    $acl | Set-Acl $newpath
    }

    ====================

    It assigns the user to a folder but then assigns them full permission as "special" which I don't want. I want to click on the security tab and see the following selected:

    modify, read & execute, list of folders contents, read, write and that is it. I also want it to inherit those permissions into any sub folders that are created.

    I tried removing the following: $permission = "domain\$user","FullControl","Allow" and swapping it out with modify, read, write but that just fails.

    Any thoughts?

    Thank you,
    -Luke

  • #27550
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    If you want to have inheritance, You should use another AccessRule Constructor, with Inheritance and Propagation flags.
    https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx

    special permissions you get because of lack inheritance
    $permission = "domain\$user",",'FullControl','ObjectInherit,ContainerInherit','None','Allow'

  • #27690
    Profile photo of Lukasz Piotrowicz
    Lukasz Piotrowicz
    Participant

    Thank you Max. I will look into it.

  • #27766
    Profile photo of Lukasz Piotrowicz
    Lukasz Piotrowicz
    Participant

    If anyone is trying to solve the same issue here it is the script.

    ========================
    $Users = Get-Content "location of text file to import data from"

    foreach ($User in $Users)

    {
    $newPath = Join-Path "location where to create folders" -childpath $User
    New-Item $newPath -type directory

    $acl = Get-Acl $newpath
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("domain\$User","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    $acl | Set-Acl $newpath
    Set-NTFSOwner -Account alxn\$User -Path $newpath
    }

    What the above does is grabs the userids from a text file and then goes into a foreach creating folders with those user ids. It' gives the user of the folder modify permissions and makes them the owner.

You must be logged in to reply to this topic.