How can I set folder permission with powershell

Discussion:

(too old to reply)

Jacob Sampson

2009-09-03 17:56:02 UTC

I have been trying to write a script that will allow me to set specific
folder permissions on my profiles folders in my domain. I cannot garauntee
that I am the owner of the folder so the set-acl cmdlt will not work as far
as i understand. I would be open to any option at this point of how to set
permission on many folders with a powershell script.

I have also tried to use cacls, xcacls, and Icacls to no avail. They seem
to work fine if i manually specify the usernames. If I refrence a variable
that holds the username then it craps out on me. I am still open to the
cacls route if someone has had better experience.

At this point I will entertain any solution.

Thanks
Jacob sampson

Vadims Podans [MVP]

2009-09-03 18:28:03 UTC

Permalink

Have tou read this link: http://support.microsoft.com/kb/274443 - this is
right way.

The wron way is to use WMI:

$path = "C:\Test"
$user = "Administrator"
$path = $path.replace("\", "\\")
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
$SID = (new-object security.principal.ntaccount
$user).translate([security.principal.securityidentifier])
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
$Trustee.Name = $user
$Trustee.SID = $SIDArray
$ace.AccessMask =
[System.Security.AccessControl.FileSystemRights]"FullControl"
$ace.AceFlags = "0x3"
$ace.AceType = 0
$ace.Trustee = $trustee
# get current ACL from DACL
$oldDACL = (gwmi Win32_LogicalFileSecuritySetting -filter
"path='$path'").GetSecurityDescriptor().Descriptor.DACL
# add current DACL to new DACL object
$SD.DACL = $oldDACL
# and add new ACE to DACL
$SD.DACL += @($ace.psobject.baseobject)
# set SE_DACL_PRESENT flag
$SD.ControlFlags = "0x4"
$folder = gwmi Win32_LogicalFileSecuritySetting -filter "path='$path'"
# write new DACL to object ACL
$folder.setsecuritydescriptor($SD)

perhaps xcacls/icacls will be more simple solution.
--
WBR, Vadims Podans
MVP: PowerShell
PowerShell blog - www.sysadmins.lv

Post by Jacob Sampson
I have been trying to write a script that will allow me to set specific
folder permissions on my profiles folders in my domain. I cannot garauntee
that I am the owner of the folder so the set-acl cmdlt will not work as far
as i understand. I would be open to any option at this point of how to set
permission on many folders with a powershell script.
I have also tried to use cacls, xcacls, and Icacls to no avail. They seem
to work fine if i manually specify the usernames. If I refrence a variable
that holds the username then it craps out on me. I am still open to the
cacls route if someone has had better experience.
At this point I will entertain any solution.
Thanks
Jacob sampson

Jacob Sampson

2009-09-03 18:41:01 UTC

Permalink

I like that solution the problem is that i want more than the admins and user
to have rights to the profiles. I have a helpdesk group that i want to have
modify rights as well.

Post by Vadims Podans [MVP]
Have tou read this link: http://support.microsoft.com/kb/274443 - this is
right way.
$path = "C:\Test"
$user = "Administrator"
$path = $path.replace("\", "\\")
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
$SID = (new-object security.principal.ntaccount
$user).translate([security.principal.securityidentifier])
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
$Trustee.Name = $user
$Trustee.SID = $SIDArray
$ace.AccessMask =
[System.Security.AccessControl.FileSystemRights]"FullControl"
$ace.AceFlags = "0x3"
$ace.AceType = 0
$ace.Trustee = $trustee
# get current ACL from DACL
$oldDACL = (gwmi Win32_LogicalFileSecuritySetting -filter
"path='$path'").GetSecurityDescriptor().Descriptor.DACL
# add current DACL to new DACL object
$SD.DACL = $oldDACL
# and add new ACE to DACL
# set SE_DACL_PRESENT flag
$SD.ControlFlags = "0x4"
$folder = gwmi Win32_LogicalFileSecuritySetting -filter "path='$path'"
# write new DACL to object ACL
$folder.setsecuritydescriptor($SD)
perhaps xcacls/icacls will be more simple solution.
--
WBR, Vadims Podans
MVP: PowerShell
PowerShell blog - www.sysadmins.lv

Vadims Podans [MVP]

2009-09-03 20:16:10 UTC

Permalink

why you can't add your helpdesk group to profiles root folder ACL?
--
WBR, Vadims Podans
MVP: PowerShell
PowerShell blog - www.sysadmins.lv

Post by Jacob Sampson
I like that solution the problem is that i want more than the admins and user
to have rights to the profiles. I have a helpdesk group that i want to have
modify rights as well.

Jacob Sampson

2009-09-03 21:02:01 UTC

Permalink

There is a long explination as to why that won't work for us but it seems
strange that it is so difficult to manage folder permissions. Here is what I
have so far:

$ProfilesFolder = Get-ChildItem "c:\fix" | where {$_.PsIsContainer} | select
Name
foreach ($Profile in $ProfilesFolder)
{
[string]$ProfileName = $Profile.Name
[string]$Username = "jsampson"
[string]$upn = "@stormontvail.org"
[string]$user = $Username.Trim() + $upn.Trim()
Write-Host $user
$Path = "C:\Fix\$ProfileName"
Write-Host c:\xcacls.exe "$Path" /g "$user":F
c:\xcacls.exe "$Path" /g "$user":F
}

Even though I use the trim() method I still get an error on the xcalcs line
and in the write-host line the $user variable still shows an empty space.
How can I delete the empty space in that variable if the trim() method
doesn't seem to work?

Post by Vadims Podans [MVP]
why you can't add your helpdesk group to profiles root folder ACL?
--
WBR, Vadims Podans
MVP: PowerShell
PowerShell blog - www.sysadmins.lv

Bob Landau

2009-09-04 02:37:01 UTC

Permalink

I don't understand why you need to "roll" your "own" folder managment
nevertheless I don't see the behavior your describing.

Here is username which obviously has spaces

$username = " jsampson "

Here is upn which has an assortment of space characters.

$upn = "`t`t`r`n @stormontvail.org `t`n`r "

This is username

$user = $username.Trim() + $upn.Trim()

And the about shows no spaces. Trim does work.

$user

Here is upn the raw output from $upn which has a combination of space
characters; tabs are 9, spaces 32, carriage returns 13 and linefeeds 10 in
decimal.

[int[]][char[]] $upn

similar step could be done for $username and user. Trim eliminates the space
characters.

bob

Post by Jacob Sampson
There is a long explination as to why that won't work for us but it seems
strange that it is so difficult to manage folder permissions. Here is what I
$ProfilesFolder = Get-ChildItem "c:\fix" | where {$_.PsIsContainer} | select
Name
foreach ($Profile in $ProfilesFolder)
{
[string]$ProfileName = $Profile.Name
[string]$Username = "jsampson"
[string]$user = $Username.Trim() + $upn.Trim()
Write-Host $user
$Path = "C:\Fix\$ProfileName"
Write-Host c:\xcacls.exe "$Path" /g "$user":F
c:\xcacls.exe "$Path" /g "$user":F
}
Even though I use the trim() method I still get an error on the xcalcs line
and in the write-host line the $user variable still shows an empty space.
How can I delete the empty space in that variable if the trim() method
doesn't seem to work?

Post by Vadims Podans [MVP]
why you can't add your helpdesk group to profiles root folder ACL?
--
WBR, Vadims Podans
MVP: PowerShell
PowerShell blog - www.sysadmins.lv