SOLVED

Specials Get-Acl and Set-Acl rules on directories

Occasional Contributor

Hello Everyone, 

 

I'm managing to create a script for a company I am working with, and unfortunately, I'm stuck. 

 

The company wants some people to only access few directories using that path model: 

C:\Users\Admin\Software\Clients\(Name of the clients)\DSS. 

Each directory (Name of the clients) contains the same directories (DSS, OSS, Direct, Flux, Opex). 

 

1 Group can only access DSS, Direct And Flux directories in read only mode, and can't access OSS and Opex directories. 

 

I got stuck here because of the (Name of the clients) directories... I tried to put it like so: 

C:\Users\Admin\Software\Clients\*\DSS

But it only reaches the first directory and don't applies on the other directories of Clients.

 

Can somebody please help me? 

13 Replies
Could you share the part of your script in which you set the permissions? Are you missing the inheritance flags?
$NativeFolder=Get-ChildItem C:\Users\Administrateur\Software\Clients -Directory -Recurse
$Data1=Get-ChildItem C:\Users\Administrateur\Software\Clients\*\Direct -Directory -Recurse
$Data2=Get-ChildItem C:\Users\Administrateur\Software\Clients\*\DSS -Directory -Recurse
$Data3=Get-ChildItem C:\Users\Administrateur\Software\Clients\*\Flux -Directory -Rercurse

foreach ($Data1 in $NativeFolder)
{

$acl=Get-Acl $Data1
$AccessRule=New-Object System.Security.AccessControl.FileSystemAccessRule("Aélys\LIST","ReadPermissions","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $Data1
}

Foreach ($Data2 in $NativeFolder)
{

$acl=Get-Acl $Data2
$AccessRule=New-Object System.Security.AccessControl.FileSystemAccessRule("Aélys\LIST","ReadPermissions","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $Data2
}

Foreach ($Data3 in $NativeFolder)
{

$acl=Get-Acl $Data3
$AccessRule=New-Object System.Security.AccessControl.FileSystemAccessRule("Aélys\LIST","ReadPermissions","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $Data3
}


Here Is the script, I already overwrite the Inheritance of the Folders up to C:\Users\Administrator\Software\Clients so I don't get stuck here.
The really problem is that it needs to go inside the "Clients" Folder and access to all the folders inside of it (Name of the clients) and set Access on the Folders set by $Data1, $Data2 and $Data3.

But when I do That, it lacks every folder of the (Name of the clients) one.
Did just a quick scan now, Aélys? It has a special character in it, if you try the DNS name instead of the Netbios name?

I tried without the "é" and it didn't work either (modified in the active directory), it could have been that but i think it can't reach each folders of the folder "Clients"

Perhaps you should take Ownership first?

$ACL = Get-ACL .\smithb
$Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
$ACL.SetOwner($Group)
Set-Acl -Path .\smithb\profile.v2 -AclObject $ACL

https://learn-powershell.net/2014/06/24/changing-ownership-of-file-or-folder-using-powershell/
Yes I already am the owner of all the folders and files
best response confirmed by Frenchy81100 (Occasional Contributor)
Solution

$Data1=Get-ChildItem C:\Users\Administrateur\Software\Clients -Directory -Recurse | where-object Name -eq Direct

Does that work? I don't think the * works... Nope, it doesn't :) 

 

Harm_Veenstra_0-1668519416349.png

 

I checked with that line: 

Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'Direct'

 

It looks like it works and showed me the Folder in the different "Clients" Folders. I need to manage it for the rest of the Script. 

 

Thank you a lot for your good help!

No problem, glad to help... Please mark my answer as solution to mark this as solved :)
Last Question over this topic, I rearranged my script and now it works fine, but I can't use the propagation flags after the System.Security.AccessControl.FileSystemRule("User","InheritOnly","Read","Allow").
I tried Changing the order and don't get any better results. I always get an error:
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4".

I don't understand why cant I put 4 arguments when normaly you can enter the user/group, ACL, Propagation and Inheritance Flags and also Acces Type... Could someone give me some help with it?

Here is The Script:
$Data1=Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'Direct' | Get-Acl
$Data2=Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'DSS' | Get-Acl
$Data3=Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'Flux' | Get-Acl

#Permet de désactiver l'héritage des autorisations du dossier:

$NewAcl=$Data1
$NewAcl.SetAccessRuleProtection($true,$true)
$NewAcl | Set-Acl

#Permet de donner les autorisations pour le groupe:

$Acl=$Data1
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("Accès Fichiers","InheritOnly","Read","Allow")
$Acl.addAccessrule($rule)
$Acl | Set-Acl

#Copier les autorisations sur les autres dossiers:

$NewAcl=$Data2
$NewAcl.SetAccessRuleProtection($true,$true)
$NewAcl | Set-Acl

#Permet de donner les autorisations pour le groupe:

$Acl=$Data2
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("Accès Fichiers","InheritOnly","Read","Allow")
$Acl.addAccessrule($rule)

$Acl | Set-Acl

$NewAcl=$Data3
$NewAcl.SetAccessRuleProtection($true,$true)
$NewAcl | Set-Acl

#Permet de donner les autorisations pour le groupe:

$Acl=$Data3
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("Accès Fichiers","InheritOnly","Read","Allow")
$Acl.addAccessrule($rule)
$Acl | Set-Acl

And The Error: (In French)
New-Object : Surcharge introuvable pour « FileSystemAccessRule » et le nombre d'arguments « 4 ».
Au caractère C:\Users\Administrateur\Documents\Bon Script.ps1:14 : 7
+ $rule=New-Object System.Security.AccessControl.FileSystemAccessRule(" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Surcharge introuvable pour « FileSystemAccessRule » et le nombre d'arguments « 4 ».
Au caractère C:\Users\Administrateur\Documents\Bon Script.ps1:27 : 7
+ $rule=New-Object System.Security.AccessControl.FileSystemAccessRule(" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Surcharge introuvable pour « FileSystemAccessRule » et le nombre d'arguments « 4 ».
Au caractère C:\Users\Administrateur\Documents\Bon Script.ps1:39 : 7
+ $rule=New-Object System.Security.AccessControl.FileSystemAccessRule(" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

All good! I finaly got the Answer....
Here Is the script:

$Data1=Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'Direct' | Get-Acl
$Data2=Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'DSS' | Get-Acl
$Data3=Get-ChildItem C:\Users\Administrateur\Software\Clients\ -Recurse | Where-Object -Property Name -Contains 'Flux' | Get-Acl

$Usergroup="Accès Fichiers"
$fileSystemRights="Read"
$InheritanceFlag="ContainerInherit,ObjectInherit"
$PropagationFlag="None"
$AccessControlType="Allow"

#Permet de désactiver l'héritage des autorisations du dossier:

$NewAcl=$Data1
$NewAcl.SetAccessRuleProtection($true,$true)
$NewAcl | Set-Acl

#Permet de donner les autorisations pour le groupe:

$Acl=$Data1
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule($Usergroup, $fileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
$Acl.addAccessrule($rule)
$Acl | Set-Acl

#Copier les autorisations sur les autres dossiers:

$NewAcl=$Data2
$NewAcl.SetAccessRuleProtection($true,$true)
$NewAcl | Set-Acl

#Permet de donner les autorisations pour le groupe:

$Acl=$Data2
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule($Usergroup, $fileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
$Acl.addAccessrule($rule)
$Acl | Set-Acl

$NewAcl=$Data3
$NewAcl.SetAccessRuleProtection($true,$true)
$NewAcl | Set-Acl

#Permet de donner les autorisations pour le groupe:

$Acl=$Data3
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule($Usergroup, $fileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
$Acl.addAccessrule($rule)
$Acl | Set-Acl

Everything all Set and works fine!
Harm_Veenstra

Thanks a lot For Everything, the script doesn't look clean but still is nice and fully working.