0

I have a folder with lots of subfolders

  • D:\Data\Subfolder1
  • D:\Data\Subfolder2
  • D:\Data\Subfolder3
  • D:\Data\Subfolder4
  • D:\Data\Subfolder5
  • ...

I need to create three active directory groups for each subfolder like this.

  • FS_Data-Subfolder1_Read
  • FS_Data-Subfolder1_Change
  • FS_Data-Subfolder1_Full

and after this is done i have to map folder, Activedirectory group, and permission.

To set the permission is the hard part. this is how far i got. i dont know how to bind the group to the permission and then apply it to the folder.

$SharePath = "\\fs\data\" $FSGroupPath = "OU=GROUPS,OU=Data,DC=DOMAIN,DC=LOCAL" Get-ChildItem $SharePath | ForEach-Object { $GroupNameRead = "FS_Data-" + $_ + "_Read" $GroupNameChange = "FS_Data-" + $_ + "_Change" $GroupNameFull = "FS_Data-" + $_ + "_Full" New-ADGroup -Name $GroupNameRead -DisplayName $GroupNameRead -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Läs Rättigheter till sökväg: FS\Data\$_" New-ADGroup -Name $GroupNameChange -DisplayName $GroupNameChange -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Ändra Rättigheter till sökväg: FS\Data\$_" New-ADGroup -Name $GroupNameFull -DisplayName $GroupNameFull -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Fulla Rättigheter till sökväg: FS\Data\$_" $set_Group = $GroupNameFull $set_rights = Modify $acl = Get-Acl $SharePath $permission = $set_user,$set_rights,"Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $SharePath }
Improve this question

2 Answers 2

Reset to default
2

See if this example from Don Jones helps you: You basically take the existing acl object from the folder, add a new rule to it (SetAccessRule), and the rule contains the principal(user or group,the right and whether it's an allow or deny). The updated aclobject is then applied to the file/folder using set-acl.

#ChangeACL.ps1 $Right="FullControl" #The possible values for Rights are # ListDirectory, ReadData, WriteData # CreateFiles, CreateDirectories, AppendData # ReadExtendedAttributes, WriteExtendedAttributes, Traverse # ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes # WriteAttributes, Write, Delete # ReadPermissions, Read, ReadAndExecute # Modify, ChangePermissions, TakeOwnership # Synchronize, FullControl $StartingDir=Read-Host "What directory do you want to start at?" $Principal=Read-Host "What security principal do you want to grant" ` "$Right to? `n Use format domain\username or domain\group" #define a new access rule. #note that the $rule line has been artificially broken for print purposes. #it needs to be one line. the online version of the script is properly #formatted. $rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow") foreach ($file in $(Get-ChildItem $StartingDir -recurse)) { $acl=get-acl $file.FullName #Add this access rule to the ACL $acl.SetAccessRule($rule) #Write the changes to the object set-acl $File.Fullname $acl }
Improve this answer
1

When you specify the -PassThru parameter on the New-ADGroup cmdlet, it returns the new group. The ADGroup object you get back contains a SID property which you can use to pass the IdentityReference for the access rule:

$readGroup = New-ADGroup -Name $GroupNameRead -DisplayName $GroupNameRead -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Läs Rättigheter till sökväg: FS\Data\$_" -PassThru if(-not($readGroup)) # Make sure it got created, if not, handle the error { # Error handling in here } else { $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($readGroup.SID,Read,Allow) }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.