Search code examples
powershellpermissionssharentfs

PowerShell v3 Managing Share/NTFS Permissions

Background:

I've been trying to write a PowerShell script to add/remove permissions for a folder. This script is the 5th script in a sequence of scripts that kick off after another. The scripts have shared variables, etc.

Scripts are as follows:

  1. Create AD Group Object
  2. Create AD User Object (or two, three, four, etc.)
  3. Create User Folder on Application Server and Create Data Folder (to be shared by all associated users) on the File Server
  4. This script, which will change the permissions to be what they are supposed to be

I'm trying to do the following (NTFS):

  1. User Folder - SYSTEM (Full), Administrator (Full), Domain Admin (Full), AD Group (Modify), USERS (Modify)
  2. Data Folder - SYSTEM (Full), Administrator (Full), Domain Admin (Full), AD Group (Modify), NETWORK SERVICE (FULL), USERS (READ)

I'm trying to do the following (Share):

  1. Data Folder - SYSTEM (Full), Administrator (Full), Domain Admin (Full), AD Group (Modify)

Here is what I've been trying to work with:

If I use this method locally, it works great. It shares a folder such as "C:Test" without issue. But I can't get this to run against the servers (not sure if it's because I'm using variables or what). In this case, just the data folder is what I'm trying to change permissions on.

# Configures the folders to have necessary permissions

# Set the folder path

# gname, sharedcomputername, and clientname all come from values in previous script

$Server = $ShareComputerName
$Share = "\d$\Tran\"+$ClientName 
$FullSharePath = "$Server"+"$Share"

# Assign the permissions

net share $gname=$FullSharePath '/Grant:Administrators,FULL' '/Grant:Domain\Account,CHANGE'

Server OS is 2008 R2 and PowerShell v3. The DC/AD is 2012 though.

EDIT 4/2/15 - This is not a duplicate question (I guess someone marked it as such)...see my response to the user below.

Solution

  • EDIT 4/6/15 - How I accomplished what I was looking to do...

    Here is what I ended up doing, thanks to the pointer (to other threads/sources) from Rich Chiavaroli.

    To handle the NTFS Permissions, I did the following:

    # Setting NTFS directory permissions

$acl = Get-Acl "\\$servername\folderpath"

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("domain\user or usergroup","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

Set-Acl "\\$servername\folderpath" $acl

    To handle the Share Permissions, I did the following:

    # Configures the folders to have necessary permissions

# Set the folder path

$Server = Enter your server name here (ex: \\test)
$Share = Enter the path to the folder here (ex: C:\Test)

# Assign the Share Permissions

# User Name/Group to give permissions to
$trustee = ([wmiclass]'Win32_trustee').psbase.CreateInstance()
$trustee.Domain = "Corp"
$trustee.Name = "$gname"

$trustee2 = ([wmiclass]'Win32_trustee').psbase.CreateInstance()
$trustee2.Domain = "Domain"
$trustee2.Name = "Domain Admins"

# Access mask values
$fullcontrol = 2032127
$change = 1245631
$read = 1179785

# Create access-list
$ace = ([wmiclass]'Win32_ACE').psbase.CreateInstance()
$ace.AccessMask = $fullcontrol
$ace.AceFlags = 3
$ace.AceType = 0
$ace.Trustee = $trustee

$ace2 = ([wmiclass]'Win32_ACE').psbase.CreateInstance()
$ace2.AccessMask = $fullcontrol
$ace2.AceFlags = 3
$ace2.AceType = 0
$ace2.Trustee = $trustee2

# Security descriptor containing access
$sd = ([wmiclass]'Win32_SecurityDescriptor').psbase.CreateInstance()
$sd.ControlFlags = 4
$sd.DACL = $ace, $ace2
$sd.group = $trustee
$sd.owner = $trustee

$newShare = Get-WmiObject Win32_Share -List -ComputerName "$Server"
$newShare.create("$Share", "Name of the share", 0, 100, "", "", $sd)