Created
August 6, 2014 23:51
-
-
Save sean-m/e7b1f78559d49a9fe102 to your computer and use it in GitHub Desktop.
Function for adding access control entries to an ACL object. These entries deny access to modify a directory but gives liberal access to its contents. Good for Windows file shares.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Takes and ACL and SID, returns an ACL with the correct entries for modify permissions added. | |
| function Add-ModAce { | |
| param ( | |
| [Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true, ValueFromPipelinebyPropertyName=$true)] | |
| [System.Security.AccessControl.FileSystemSecurity]$ACL, | |
| [Parameter(Position=1, Mandatory=$true, ValueFromPipeline=$false, ValueFromPipelinebyPropertyName=$true)] | |
| [System.Security.Principal.IdentityReference]$SID | |
| ) | |
| # Rule applies to parent container, does not propagate | |
| $aclRights1 = [System.Security.AccessControl.FileSystemRights]"Delete, TakeOwnership, ChangePermissions, WriteAttributes, WriteExtendedAttributes" | |
| $objectInherit1 = [System.Security.AccessControl.InheritanceFlags]::None | |
| $PropagationFlag1 = [System.Security.AccessControl.PropagationFlags]::None | |
| $objType1 =[System.Security.AccessControl.AccessControlType]::Deny | |
| $modACE1 = New-Object System.Security.AccessControl.FileSystemAccessRule ` | |
| ($SID, $aclRights1, $objectInherit1, $PropagationFlag1, $objType1) | |
| # Rule applies to parent container, does not propagate | |
| $aclRights2 = [System.Security.AccessControl.FileSystemRights]"Traverse, Read, CreateFiles, CreateDirectories" | |
| $objectInherit2 = [System.Security.AccessControl.InheritanceFlags]::None | |
| $PropagationFlag2 = [System.Security.AccessControl.PropagationFlags]::None | |
| $objType2 =[System.Security.AccessControl.AccessControlType]::Allow | |
| $modACE2 = New-Object System.Security.AccessControl.FileSystemAccessRule ` | |
| ($SID, $aclRights2, $objectInherit2, $PropagationFlag2, $objType2) | |
| # Rule applies to child objects, propagates to objects and containers | |
| $aclRights3 = [System.Security.AccessControl.FileSystemRights]"Traverse, ExecuteFile, ListDirectory, ReadData, ReadAttributes, ReadExtendedAttributes, CreateFiles, WriteData, CreateDirectories, AppendData, WriteAttributes, WriteExtendedAttributes, Delete, ReadPermissions" | |
| $objectInherit3 = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" | |
| $PropagationFlag3 = [System.Security.AccessControl.PropagationFlags]::InheritOnly | |
| $objType3 =[System.Security.AccessControl.AccessControlType]::Allow | |
| $modACE3 = New-Object System.Security.AccessControl.FileSystemAccessRule ` | |
| ($SID, $aclRights3, $objectInherit3, $PropagationFlag3, $objType3) | |
| $ACL.AddAccessRule($modACE1); | |
| $ACL.AddAccessRule($modACE2); | |
| $ACL.AddAccessRule($modACE3); | |
| return $ACL | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment