powershellpermissionsntfs
PowerShell Setting advanced NTFS permissions
I'm trying to apply NTFS permissions that are defined in the 'Advanced' tab of the Windows security settings. One ACL $Rule is for This folder only and another one is for the Subfolders and files only.
The permissions are heavily modified as you can see below:
(Get-Acl 'L:\Test\Beez\RAPJOUR\Appels List\Correct').Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : CreateFiles, AppendData, DeleteSubdirectoriesAndFiles, ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : DeleteSubdirectoriesAndFiles, Modify, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
- Everything is on except for : Full control, Write attributes, Write extended attributes, Delete, Change permissions and Take ownership.
- Everything is on except for : Full control, Change permissions and Take ownership.
This is a piece of the code I use to apply permissions. In this case it has to be defined in the part Change:
$f = 'L:\Test\Beez\RAPJOUR\Appels List\Wrong'
$ADobject = 'Domain\User'
$acl = Get-Acl $f
$Grant = 'Change'
# Remove user/group first
$rule = New-Object system.security.AccessControl.FileSystemAccessRule("$ADobject","Read",,,"Allow")
$acl.RemoveAccessRuleAll($rule)
# Add read permissions
if ($Grant -eq 'ReadAndExecute') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'Change') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "Synchronize", "Allow DeleteSubdirectoriesAndFiles")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "AppendData", "ContainerInherit, ObjectInherit", "ReadAndExecute","Synchronize", "Allow CreateFiles","DeleteSubdirectoriesAndFiles")
}
if ($Grant -eq 'Modify') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'FullControl') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'ListFolderContents') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit", "None", "Allow")
}
$acl.AddAccessRule($rule)
Set-Acl $f $acl
I can't seem to get the syntax right.. Thank you for your help.
Thanks to this post I've already found the part for:
- 'Subfolders and files only':
"ContainerInherit, ObjectInherit", "InheritOnly" - 'This folder only':
"None", "InheritOnly"
Solution
Object access permissions in Windows are controlled via Access Control Lists (ACL), which basically consist of a list of Access Control Entries (ACE). Each ACE is a set of attributes that controls whether access is granted or denied, who the ACE applies to, if the ACE was inherited from a parent object, and whether it should be inherited by child objects.
If you take a look at the documentation of the FileSystemAccessRule class, you'll see that the "full" constructor takes 5 parameters:
IdentityReference/String: An object or string that identifies the trustee (user, group, computer, ...) to whom the ACE applies.FileSystemRights: The actual permissions to be granted or denied.InheritanceFlags: Flags to control which object types inherit permissions from this object (containers, leaf objects, or none).PropagationFlags: Flags to control propagation of permissions. The flagInheritOnlyexempts the current object from receiving the ACE. The flagNoPropagateInheritrestricts inheritance to immediate child objects.AccessControlType: The type of the ACE (allow or deny).
Now, if you want to assign multiple access rights to a given trustee, you can either do that with individual ACEs:
$acl = Get-Acl $path
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'ListDirectory', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Allow'
$acl.AddAccessRule($ace1)
$ace2 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'ReadAttributes', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Allow'
$acl.AddAccessRule($ace2)
...Or by providing the permissions as a comma-separated string:
$acl = Get-Acl $path
$ace = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'ListDirectory, ReadAttributes, ...', 'ContainerInherit, ObjectInherit',
'InheritOnly', 'Allow'
$acl.AddAccessRule($ace)Note, however, that you cannot grant and deny permissions with the same ACE. If you want to deny specific access rights you need to do it with a separate ACE:
$acl = Get-Acl $path
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'Modify', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Allow'
$acl.AddAccessRule($ace1)
$ace2 = New-Object Security.AccessControl.FileSystemAccessRule 'DOMAIN\user',
'CreateDirectories', 'ContainerInherit, ObjectInherit', 'InheritOnly',
'Deny'
$acl.AddAccessRule($ace2)
...Note also, that explicit permissions take precedence over inherited permissions, and Deny takes precedence over Allow.
- Redirections changes "get-alias" command return code in powershell
- Where is the PowerShell documentation for the `excel.application`?
- Powershell SDK accessing values of Powershell objects?
- Does the PowerShell call operator `&` wait for a command to finish?
- Using PowerShell, set the AD home directory for a user, given the display name
- Export app registrations with expiring secrets and certificates and send alert in teams
- How do I find the 10 largest files in a directory structure
- Enumerate file properties in PowerShell
- Is there a dynamic way to get variables from Variable Group? Even secret ones? and insert in Azure Key Vault
- Powershell Folder Inheritence problem
- How to quickly change shell folder to match the currently open file
- Powershell script to see currently logged in users (domain and machine) + status (active, idle, away)
- How to Set Microphone Volume to 100% in PowerShell or Command Line?
- Format Select-String output (path:linenumber:line)
- Get the Installed / Not Applicable Percentage in WSUS using Powershell
- Powershell ConvertFrom-JSON to csv file(s)
- Script has two variables when done, but when I pipe to SELECT-object only first one returns data to console
- Sign a Powershellscript with C# / .NetCore
- File Explorer flag not working in Powershell at all
- How to run Get Kusto query using Rest API
- Read individual key presses in PowerShell
- run powershell as administrator from python
- How to embed Windows symbols (Win+;) into the code, to be printed on file and on screen?
- Powershell 2 copy-item which creates a folder if doesn't exist
- Run Powershell script files step by step in WPF (C#)
- Can I return an exit code %errorlevel% from WSL Bash to Powershell or Command Prompt?
- Get Azure Active Directory password expiry date in PowerShell
- Powershell get-childitem works different with long-path prefix (\\?\)
- Handling Nested JSON returned from Invoke-RestMethod
- Unexpected variable type returned by Receive-Job