Forum Discussion
Modifying NTFS Permissions Using the NTFSSecurity Module
- Dec 04, 2020
Hi MoZZa
I tried The NTFSSecurity Module, but it seems that there still some missing features in it such as Set-NTFSAccess, or maybe I did not see it.
anyway.
I wrote a code that will do the following
will read the permission from the folder to a variable, set change the value in the variable (it was hardcoded), and then apply these settings to the folder back, this will not change the Apply to scope, and the only thing that should change is the permission only and nothing else
anyway
i did the test on my lab and its a small scope, try it from your side and let me know
below are some pictures of the result, Oh, did I forget to tell you that i did not use the NTFSSecurity module.
Before the Script
After the Script
$acl=Get-Acl -Path C:\MyTestFolder foreach ($singleACL in ($acl.Access | where {($_.FileSystemRights -like "*FullControl*") -and ($_.IsInherited -like $false)})){ $FileSystemRights=@("ReadData, Delete, Synchronize") $AccessControlType=$singleACL.AccessControlType $IdentityReference=$singleACL.IdentityReference $InheritanceFlags=$singleACL.InheritanceFlags $PropagationFlags=$singleACL.PropagationFlags $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only $acl.SetAccessRule($rule) Set-Acl -Path C:\MyTestFolder -AclObject $acl }
Try the script, and let me know
and I hope I understand the requirement correct (sometime my bad English fails me )
----------------
If this answer helped, please click on best Response and give like 🙂
Take a look on this post.
https://stackoverflow.com/questions/37013298/powershell-acls-apply-to-this-folder-only
They have an example of how you can add a ACL entry and set it to Apply only to this Folder.
I did not work with the NTFS Security module, and usually like to do things without any module.
So maybe the thing you are asking is not implemented, did you check the documentation to see if its an existing feature ?
- MoZZaDec 02, 2020Iron Contributor
Hi farismalaeb ,
Thank you for your reply. I can set the folders to the various options, but what I really trying to achieve is to read the current ACL Rule, reading them directly from a variable/array or csv
Account
Access Rights
Applies to
Type
IsInherited
InheritedFrom
Contoso\TestAccount1
FullControl
ThisFolderSubfoldersAndFiles
Allow
False
Contoso\TestAccount2
Modify, Synchronize
ThisFolderOnly
Allow
False
Contoso\TestAccount3
Traverse
ThisFolderAndFiles
Allow
False
Modify any Access rights with the ability to create or modify existing files/folders and set them to ReadandExecute,Delete. BUT not to change the Applies To values, but read them straight from the existing variable/array or csv and but to reapply them exactly as they were prior to changing the Access Rights.
eg
Account
Access Rights
Applies to
Type
IsInherited
InheritedFrom
Contoso\TestAccount1
ReadAndExecute,Delete
ThisFolderSubfoldersAndFiles
Allow
False
Contoso\TestAccount2
ReadAndExecute,Delete
ThisFolderOnly
Allow
False
Contoso\TestAccount3
Traverse
ThisFolderAndFiles
Allow
False
Hope that makes it a little clearer, I basically want to feed back into the ACL rule exactly what is there, but only modify the level of access rights.
Kind Regards
MoZZa
- farismalaebDec 04, 2020Steel Contributor
Hi MoZZa
I tried The NTFSSecurity Module, but it seems that there still some missing features in it such as Set-NTFSAccess, or maybe I did not see it.
anyway.
I wrote a code that will do the following
will read the permission from the folder to a variable, set change the value in the variable (it was hardcoded), and then apply these settings to the folder back, this will not change the Apply to scope, and the only thing that should change is the permission only and nothing else
anyway
i did the test on my lab and its a small scope, try it from your side and let me know
below are some pictures of the result, Oh, did I forget to tell you that i did not use the NTFSSecurity module.
Before the Script
After the Script
$acl=Get-Acl -Path C:\MyTestFolder foreach ($singleACL in ($acl.Access | where {($_.FileSystemRights -like "*FullControl*") -and ($_.IsInherited -like $false)})){ $FileSystemRights=@("ReadData, Delete, Synchronize") $AccessControlType=$singleACL.AccessControlType $IdentityReference=$singleACL.IdentityReference $InheritanceFlags=$singleACL.InheritanceFlags $PropagationFlags=$singleACL.PropagationFlags $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only $acl.SetAccessRule($rule) Set-Acl -Path C:\MyTestFolder -AclObject $acl }
Try the script, and let me know
and I hope I understand the requirement correct (sometime my bad English fails me )
----------------
If this answer helped, please click on best Response and give like 🙂
- MoZZaDec 11, 2020Iron Contributor
Hi farismalaeb,
I have tested your script and with a few modifications to suite our environment IT WORKS!!!
Thank you so much , just 4 or 5 lines added to my script and its works.
Here is a sample of the script that just does the top layer where it is a root inheritance parent folder.Import-Module ActiveDirectory
$ExcludedPaths = @()
$ForUser = "MoZZa"
$AnalysePath = "\\Contoso\X$\Shared\Some\Data\Here"
$ExcludedPaths = @('\\Contoso\X$\Shared\Some\Data\Here\Dont\Change\This\Path','\\Contoso\X$\Shared\Some\Data\Here\Dont\Change\This\Path\Either') #Place excluded paths here '\\path1','path2' format$MasterACL=Get-Acl -Path $AnalysePath
ForEach($Master in $MasterACL.Access){
if ($Master.IdentityReference -notlike "BUILTIN\Administrators" -and
$Master.IdentityReference -notlike "Contoso\Domain Admins" -and
$Master.IdentityReference -notlike "Contoso\Domain Users" -and
$Master.IdentityReference -notlike "CREATOR OWNER" -and
$Master.IdentityReference -notlike "NT AUTHORITY\SYSTEM" -and
$Master.IdentityReference -notlike "BUILTIN\Users" -and
$Master.IdentityReference -notlike "Contoso\Backup Users" -and
$Master.IdentityReference -notlike "Contoso\SCCM Blah Blah" -and
$Master.IdentityReference -notlike "S-1-5-21-*" -and
$Master.FileSystemRights -notlike "Delete, ReadAndExecute, Synchronize" -and
$Master.FileSystemRights -notlike "ReadData, ExecuteFile, Synchronize" -and
$Master.FileSystemRights -notlike "ListDirectory, Traverse, Synchronize" -and
$Master.FileSystemRights -notlike "Delete, Read, Synchronize" -and
$Master.FileSystemRights -notlike "ReadAndExecute, Synchronize" -and
$Master.AccessRights -notlike "ListDirectory, Delete, Synchronize" -and
$Master.FileSystemRights -notlike "ListDirectory, ReadExtendedAttributes, Traverse, ReadAttributes, Synchronize" -and
$Master.IsInherited -like $False -and
$Master.FullName -notin $ExcludedPaths){$FileSystemRights=@("Delete, ReadAndExecute, Synchronize")
$AccessControlType=$Master.AccessControlType
$IdentityReference=$Master.IdentityReference
$InheritanceFlags=$Master.InheritanceFlags
$PropagationFlags=$Master.PropagationFlags
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only
$MasterACL.SetAccessRule($rule)
Set-Acl -Path $AnalysePath -AclObject $MasterACL
}I have also created a GUI version.
I will upload those tomorrow.
They make it easier for the 1st support team to run the analysis script without having any PS knowledge.Many thanks again!!!!!