NTFS Permissions

rated by 0 users
This post has 5 Replies | 4 Followers

Not Ranked
Posts 2
Möhnle, Christian Posted: 10-20-2010 6:00 AM

How can I set filesystem-permissions (NTFS) ?

Top 25 Contributor
Posts 287
Top Contributor

Hi,

Just try:

$folder = "C:\temp"

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"

$propagation = [system.security.accesscontrol.PropagationFlags]"None"

$acl = Get-Acl $folder

$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("Users", "FullControl", $inherit, $propagation, "Allow")

$acl.AddAccessRule($accessrule)

Set-Acl -aclobject $acl $folder

Just change it for your requirements.

Top 10 Contributor
Posts 628
Microsoft MVP
Top Contributor

You can manage permissions using build-in PowerShell cmdlets like Get/Set-ACL and .NET Framework, and that may be useful like indicated by Felipe. However, this is a low-level approach and may be slow and error-prone.

Remember that PowerShell doesn't care whether you use a cmdlet or an external cmd or whatever else is executable inside PowerShell. So another way to manage NTFS permissions is to use standard tools like icacls.exe (introduced in Vista/Server 2003) or cacls.exe. The only thing to remember here is that when you use external apps inside PowerShell, you need to take care to specify the command line arguments in a way that does not cause parsing problems (avoid special characters or escape them or quote them), and you need to know about the special error handling that tells you whether the external cmd succeeded.

I wrote a little PS function called New-UserProfileFolder that will do the following:

- it will create the folder for the user as a subfolder in c:\profiles if it does not yet exist
- it will remove all existing and inherited permissions from that folder
- it will add standard Administrator full permission that is inherited inside the new folder to subfolders and files
- it will add change permissons for the user specified, again fully inheritable. You can instead grant different permissions for the user by specifying the permissions with the optional parameter -permissions

 

function Create-UserProfileFolder {
param(
[Parameter(Mandatory=$true)]
$username,
$permissions = 'M'
)

$folderpath = "c:\profiles\$username"

# Create Folder:
if ((Test-Path $folderpath) -eq $false) {
md $folderpath | Out-Null
}


# Add NTFS permissions using icacls.exe
$result = icacls.exe ('"{0}" /inheritance:r /grant:r {1}:(OI)(CI){2} Administrator:(OI)(CI)F' -f $folderpath, $username, $permissions) 2>&1

# Check status and report errors
$exitcode = ($LASTEXITCODE -eq 0)
$exitcode = $exitcode | Add-Member NoteProperty StatusMessage $result -PassThru
$exitcode | Add-Member NoteProperty ExitCode $LASTEXITCODE -PassThru
}

$rv = Create-UserProfileFolder Tobias
if ($rv) {
# Success
$rv.StatusMessage
} else {
# Failure
'Error Code {0}' -f $rv.ExitCode
$rv.StatusMessage
}

You can download this sample here: http://powershell.com/cs/media/p/7920.aspx

Note how the function determines the success: it receives the textual response in $result and uses 2>&1 at the end of the native command to also redirect error streams. It then reads the error level found in $LASTEXITCODE which is the numeric exit code of a console application. It is 0 when all went fine and else a numeric constant indicating the error.

The return value of this function is either $true or $false, based on the exit code. For you to determine the true reason of a failure, the function adds two note properties to the boolean return value. StatusMessage contains the textual response which gives you a clear text description of success or failure, and ExitCode stores the numeric exit code.

Cheerio

Tobias

P.S.

BTW if you live in Europe and want a comprehensive PowerShell training, public or inhouse, mail me: tobias.weltner (AT) scriptinternals.de

 

Not Ranked
Posts 2

Hi Felipe,

thanks a lot. I'll try it as soon as I'm back at the company.

Kindly regards from Stuttgart/Germany

CMoehnle

Not Ranked
Posts 1

Hi Felipe,

 

  The script is good. How to do it for multiple users....

Top 25 Contributor
Posts 287
Top Contributor

Hi,

Just add an array with the users/groups you want. Then with some iteration you can do it once for each.

$folder = "C:\temp"

$users = "Users", "Everyone"

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"

$propagation = [system.security.accesscontrol.PropagationFlags]"None"

$acl = Get-Acl $folder

foreach($_ in $users){

$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule($_, "FullControl", $inherit, $propagation, "Allow")

$acl.AddAccessRule($accessrule)

Set-Acl -aclobject $acl $folder}

Page 1 of 1 (6 items) | RSS
Copyright 2012 PowerShell.com. All rights reserved.