Search code examples
powershellactive-directorysharentfs

Create Folder, Create AD Groups, Apply Groups to Folder and Set Permissions

I'm trying to find a much cleaner way of creating a network share folder, creating an Active Directory Security group that matches the share, and then applying the levels of permissions to the folder all while asking the questions in the script.

  • Create folder D:\Test Share
  • Share as Test Share
  • Create AD Group FS-TESTSHARE-R
  • Create AD Group FS-TESTSHARE-RW
  • Apply Both groups to the new share folder
  • Set Full Read permissions to FS-TESTSHARE-R
  • Set Full Read/Rights permissions to FS-TESTSHARE-RW
  • Set full access permissions to Domain Admins

This is what I have so far and am completely lost as to how to get the rest and make it work:

$Path = 'c:\TestShare'

# create new folder
$null = New-Item -Path $Path -ItemType Directory

# get permissions
$acl = Get-Acl -Path $path

# add a new permission
$permission = 'domain\FS-TESTSHARE-RW', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)

# set new permissions
$acl | Set-Acl -Path $path
Solution

  • while asking the questions in the script

    In order to get the input, it's best to use the param construct at the top of your .ps1 file like so

    param([Parameter(Mandatory=$true, Position=0)][ValidateNotNullOrEmpty()] [string] $Path,
[Parameter(Mandatory=$true, Position=1)][ValidateNotNullOrEmpty()] [string[]] $permission)

    You can then provide the values when launching the script like so

    .\yourscript.ps1 -path 'c:\TestShare' -permission ('domain\FS-TESTSHARE-RW', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow')

    This gives you a couple of advantages over read-host. For starters you can enforce the type and that the value provided is not null or empty, but also it allows all values to be collected up front, meaning the script can be used in automated scenarios, unlike Read-Host which only works with a human inputting the values.

    Creating an Active Directory Security group that matches the Share

    You can use the Active Directory PowerShell Module to create and update groups.

    Create the group using the New-ADGroup command

    New-ADGroup -Name "FS-TESTSHARE-RW" -SamAccountName "FS-TESTSHARE-RW" -GroupCategory Security -GroupScope Global -DisplayName "Test Share Read-Write" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group have read-write access to the test share"

    Then use the Add-ADGroupMember command to add principals to the group. The following example would add the principals User1 and User2 to the group FS-TESTSHARE-RW.

    Add-ADGroupMember FS-TESTSHARE-RW User1,User2

    As for mapping the permissions, you are already on the correct path, however I will point out that you shouldn't use $null in your scripts for values, as it is an automatic variable

    $null is an automatic variable that contains a NULL or empty value. You can use this variable to represent an absent or undefined value in commands and scripts.