Created
December 8, 2015 15:47
-
-
Save crshnbrn66/5fb640b51dca5c8a004e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # http://stackoverflow.com/a/13519264 | |
| #http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights%28v=vs.110%29.aspx | |
| function Remove-PermissionsForGroup | |
| { | |
| <# | |
| .Synopsis | |
| Removes Ntfs permissions for the directory specified.. | |
| .DESCRIPTION | |
| This script sets the ntfs permissions for the directory passed. | |
| .EXAMPLE | |
| Remove-PermissionsForGroup -group 'domain\testuser' -path 'c:\temp' | |
| .EXAMPLE | |
| Remove-PermissionsForGroup -group 'testuser' -path 'c:\temp2' | |
| .INPUTS | |
| Group - Group to remove | |
| path - path from where to remove the permssions from. | |
| .OUTPUTS | |
| returns a true if the logging happened. | |
| If it returns false then the logging did not happen. | |
| .NOTES | |
| .COMPONENT | |
| The component this cmdlet belongs to | |
| .ROLE | |
| The role this cmdlet belongs to | |
| .FUNCTIONALITY | |
| The functionality that best describes this cmdlet | |
| #> | |
| param | |
| ( | |
| [string][Parameter(Mandatory = $true)]$Group, | |
| [string][Parameter(Mandatory = $true)]$Path | |
| ) | |
| $acl = (Get-Item $path).GetAccessControl('Access') | |
| $accessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($Group,'Read',,,'Allow') | |
| $acl.RemoveAccessRuleAll($accessrule) | |
| try | |
| { | |
| set-acl -path $path -AclObject $acl | |
| #write-host "Remove-PermissionsForGroup: $Group permissions removed from $path" | |
| } | |
| catch | |
| { | |
| Write-Error 'Remove-PermissionsForGroup: An error occured while Deleting NTFS Permissions' | |
| Write-Debug $LogBuffer[$LogBuffer.count-1] -BackgroundColor 'Black' -ForeGroundColor 'Red' | |
| Write-Error "Remove-PermissionsForGroup: $path $userName can not be granted permissions" | |
| $Error.clear() | |
| } | |
| } | |
| #http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights%28v=vs.110%29.aspx | |
| function Add-NTFSPermissions | |
| { | |
| <# | |
| .Synopsis | |
| Adds Ntfs permissions for the directory specified.. | |
| .DESCRIPTION | |
| This script sets the ntfs permissions for the directory passed. | |
| .EXAMPLE | |
| Add-NTFSPermissions -ADObject 'deny' -FSObject 'c:\inetpub' -perms 'AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ListDirectory, FullControl, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes' -AccessControl 'Deny' | |
| .EXAMPLE | |
| Add-NTFSPermissions -ADObject 'deny' -FSObject 'c:\logs' -perms 'AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ListDirectory, FullControl, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes' -AccessControl 'Deny' | |
| Deny's permissions for user deny on C:\logs | |
| .EXAMPLE | |
| Add-NTFSPermissions -ADObject '_net' -FSObject $folder -perms 'ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions' -AccessControl 'Allow' | |
| Sets ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions for user _net on $folder | |
| .EXAMPLE | |
| Add-NTFSPermissions -ADObject 'NETWORK SERVICE' -FSObject $folder -perms 'ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions' -AccessControl 'Allow' | |
| Sets 'ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions' for user NETWORK SERVICE on $folder | |
| .EXAMPLE | |
| Add-NTFSPermissions -ADObject 'ecommercenet' -FSObject $folder -perms 'ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions' -AccessControl 'Allow' | |
| .INPUTS | |
| ADObject - this is the username that is getting the permssion can be a user or a group | |
| FSObject - this is the path that is changing for example c:\temp | |
| Perms - this is a comma seperated list of permissions to set for the user: | |
| AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ListDirectory, FullControl, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes | |
| AccessControl - valid values Allow or deny to the directory in question | |
| PropFlag - this controls how things are propogated to children directories | |
| parentOnly sets at the parent | |
| parentChild sets at the parent and child with no propogation | |
| Allow sets the parent and all children. | |
| .OUTPUTS | |
| returns a true if the logging happened. | |
| If it returns false then the logging did not happen. | |
| .NOTES | |
| .COMPONENT | |
| The component this cmdlet belongs to | |
| .ROLE | |
| The role this cmdlet belongs to | |
| .FUNCTIONALITY | |
| The functionality that best describes this cmdlet | |
| #> | |
| param | |
| ( | |
| [string] | |
| $ADObject, | |
| [string] | |
| $FSObject, | |
| [string] | |
| $perms, | |
| [string] | |
| [validateset('Allow', 'Deny')] | |
| $AccessControl, | |
| [string] | |
| [validateset('parentOnly','parentChild','Allow')] | |
| $propFlag | |
| ) | |
| $func = 'func -- Add-NTFSPermissions :' | |
| # $AdObject This is a string representing the group/user | |
| # FSObject This is a string representing the path | |
| # perms this is the Value for how the permissions are to be set | |
| # propFlag this value determines how inheritance is done values: parentOnly = only the parent folder will be set. | |
| # parentChild = parent and child folders set. childOnly = only the children will be set for inheritance. | |
| # AccessControl This is to allow or Deny access to the objects passed. | |
| write-log -fileName $logfilename -message "$func removing permissions for $ADObject directory $fsobject" | |
| Remove-PermissionsForGroup $ADObject $FSObject #to allow for setting of proper permissions if the object already exists we must remove first then a set with new perms can be done. | |
| $Permissions = $perms | |
| # $AccessControl = "Allow" | |
| #$Inheritance = 'ContainerInherit '#, ObjectInherit' # When multiple options are needed make it "ContainerInherit, ObjectInherit" | |
| if($PropFlag -eq 'parentOnly') | |
| { #These values equate to this folder and files | |
| $Propagation = 'None' # When multiple options are needed make it "InheritOnly, NoPropagateInherit, None" | |
| $Inheritance = 'ObjectInherit' | |
| } | |
| elseif($propFlag -eq 'parentChild') | |
| { #these values equate to this folder, subfolder and files | |
| $Propagation = 'None' # When multiple options are needed make it "InheritOnly, NoPropagateInherit, None" | |
| $Inheritance = 'ContainerInherit, ObjectInherit' | |
| } | |
| else | |
| { #these values equate to this subfolder and files only | |
| $Propagation = 'InheritOnly' # When multiple options are needed make it "InheritOnly, NoPropagateInherit, None" | |
| $Inheritance = 'ContainerInherit, ObjectInherit' | |
| $propFlag = 'FilesSubfolders' | |
| } | |
| #Write-Host "Add-NTFSPermissions: $FSObject Group $ADObject will be granted permissions $perms, Access=$AccessControl, Propogation=$propFlag " | |
| $colRights = [System.Security.AccessControl.FileSystemRights]"$Permissions" #Options: AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ListDirectory, FullControl, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes | |
| $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"$Inheritance" #Options: ContainerInherit (the ACE is inherited by child containers, like subfolders), ObjectInherit (the ACE is inherited by child objects, like files),None | |
| $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"$Propagation" #Options: InheritOnly (the ACE is Propagationd to all child objects), NoPropagationInherit (the ACE is not Propagationd to child objects),None | |
| $objType = [System.Security.AccessControl.AccessControlType]"$AccessControl" #Options:Allow, Deny | |
| $objUser = New-Object System.Security.Principal.NTAccount($ADObject) | |
| #write-Host "The SID of object $ADObject is $objUser" | |
| $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) | |
| $objACL = (Get-Item "$FSObject").GetAccessControl('Access') | |
| $objACL.AddAccessRule($objACE) | |
| try { | |
| Set-ACL "$FSObject" $objACL | |
| #Write-Host "Add-NTFSPermissions: $FSObject Group $ADObject is granted $perms permissions, Access=$AccessControl, Propogation=$propFlag" | |
| write-log -fileName $logfilename -message "$func $FSObject Group $ADObject granted permissions." | |
| #Write-host 'Add-NTFSPermissions: NTFS Permissions are altered' | |
| } | |
| catch { | |
| Write-Error 'An error occured while changing NTFS Permissions' | |
| Write-Debug $LogBuffer[$LogBuffer.count-1] -BackgroundColor 'Black' -ForeGroundColor 'Red' | |
| Write-Error "Add-NTFSPermissions: $FSObject $ADObject can not be granted permissions" | |
| $Error.clear() | |
| } | |
| } | |
| function Get-NTFSPermissions | |
| { | |
| #http://stackoverflow.com/questions/27529174/how-can-i-compare-against-filesystemrights-using-powershell | |
| #http://latkin.org/blog/2012/07/08/using-enums-in-powershell/ | |
| #https://rohnspowershellblog.wordpress.com/tag/powershell/ | |
| #http://poshcode.org/5006 | |
| #this one has the magic in it: -------------- | |
| #http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights | |
| param( | |
| [string] | |
| $Directory, | |
| [switch] | |
| $recurse | |
| ) | |
| $Error.Clear() | |
| $accessMask = [ordered]@{ | |
| [uint32]'0x80000000' = 'GenericRead' | |
| [uint32]'0x40000000' = 'GenericWrite' | |
| [uint32]'0x20000000' = 'GenericExecute' | |
| [uint32]'0x10000000' = 'GenericAll' | |
| [uint32]'0x02000000' = 'MaximumAllowed' | |
| [uint32]'0x01000000' = 'AccessSystemSecurity' | |
| [uint32]'0x00100000' = 'Synchronize' | |
| [uint32]'0x00080000' = 'WriteOwner' | |
| [uint32]'0x00040000' = 'WriteDAC' | |
| [uint32]'0x00020000' = 'ReadControl' | |
| [uint32]'0x00010000' = 'Delete' | |
| [uint32]'0x00000100' = 'WriteAttributes' | |
| [uint32]'0x00000080' = 'ReadAttributes' | |
| [uint32]'0x00000040' = 'DeleteChild' | |
| [uint32]'0x00000020' = 'Execute/Traverse' | |
| [uint32]'0x00000010' = 'WriteExtendedAttributes' | |
| [uint32]'0x00000008' = 'ReadExtendedAttributes' | |
| [uint32]'0x00000004' = 'AppendData/AddSubdirectory' | |
| [uint32]'0x00000002' = 'WriteData/AddFile' | |
| [uint32]'0x00000001' = 'ReadData/ListDirectory' | |
| } | |
| $simplePermissions = [ordered]@{ | |
| [uint32]'0x1f01ff' = 'FullControl' | |
| [uint32]'0x0301bf' = 'Modify' | |
| [uint32]'0x0200a9' = 'ReadAndExecute' | |
| [uint32]'0x02019f' = 'ReadAndWrite' | |
| [uint32]'0x020089' = 'Read' | |
| [uint32]'0x000116' = 'Write' | |
| } | |
| $arrResults = @() | |
| Get-ChildItem -Recurse:$recurse -Path $Directory -ErrorAction SilentlyContinue| Where-Object { $_.PSIsContainer } | | |
| forEach { | |
| $objPath = $_.FullName | |
| $coLACL = Get-Acl -Path $objPath | |
| forEach ( $objACL in $colACL ) { | |
| forEach ( $accessRight in $objACL.Access ) { | |
| $objResults = New-Object –TypeName PSObject | |
| $objResults | Add-Member –MemberType NoteProperty –Name DirectoryPath –Value $objPath | |
| $objResults | Add-Member –MemberType NoteProperty –Name Identity –Value $accessRight.IdentityReference | |
| $Avalue = $accessright.FileSystemRights.value__ | |
| if($Avalue -is [Int32]) | |
| { | |
| $fsrights = $accessMask.keys | Where-Object{$accessRight.FileSystemRights.value__ -band $_}|%{$accessMask[$_]} | |
| $fsrights += $simplePermissions.Keys | % { | |
| if (($Avalue -band $_) -eq $_) { | |
| $simplePermissions[$_] | |
| $Avalue = $Avalue -band (-not $_) | |
| } | |
| } | |
| $f = $fsrights -join ',' | |
| $objResults | Add-Member –MemberType NoteProperty –Name SystemRights –Value $f | |
| } | |
| else | |
| { | |
| $objResults | Add-Member –MemberType NoteProperty –Name SystemRights –Value $accessRight.FileSystemRights | |
| } | |
| $objResults | Add-Member –MemberType NoteProperty –Name SystemRightsType –Value $accessRight.AccessControlType | |
| $objResults | Add-Member -MemberType NoteProperty -Name IsInherited -Value $accessRight.IsInherited | |
| $objResults | Add-Member -MemberType NoteProperty -Name InheritanceFlags -Value $accessRight.InheritanceFlags | |
| $objResults | Add-Member –MemberType NoteProperty –Name RulesProtected –Value $objACL.AreAccessRulesProtected | |
| $arrResults += $objResults | |
| } | |
| } | |
| } | |
| $arrResults | |
| } | |
| Export-ModuleMember -Function 'Add-NTFSPermissions','Remove-PermissionsForGroup','Get-NTFSPermissions' | |
| #get-acl -Path $FolderPath |Select-Object Owner, Access | |
| #add-NTFSPermissions $user $FolderPath $perms |
module has write-log in it which mean it depends on using the log module I wrote
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NTFS permissions module