Search code examples
powershellscriptingwindows-server-2016ntfs

Adding an AD Group to a large Public drive via Powershell

We have a large file share that houses about 1tb of data. The following location has about 600 folders beneath it. F:\Data
The task is to assign a specific AD group read permissions to every folder inside of the data folder, the subfolders do not matter.

I am trying to see if the script below would be the best approach? my concern is this is a file server and I don't want to break anything or mess up any rights, also not to sure if while the script is running and their is a file open would it cause am error.

I have tried running this script in a test environment and it worked great , but there is no error log where even if it stopped somewhere i would be able to check.

I could be overthinking it, but just wanted to see if anyone has experienced anything like this?

$StartingPath = "PATH"
$Right = "Read"
$Principal = "Domain\ADGroup"

$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow")

foreach ($Folder in $(Get-ChildItem -Directory $StartingPath -Recurse)) {
$Acl=Get-Acl $Folder.FullName
$Acl.SetAccessRule($Rule)
Set-Acl $folder.Fullname $Acl
}
Solution

  • You need to experiment with Inheritance and Propagation (use your test environment for that) and use the overloaded method with 5 parameters to create your new accessrule for that.

    That way, you only add the new rule to the main data share folder and do not have to iterate all subfolders.

    # FileSystemRights:  https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights
# Inheritance flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags
# Propagation flags: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags

$Principal  = "TheADGroupWithReadPermissions"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Principal, "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl "F:\Data"
$acl.SetAccessRule($accessRule)
Set-Acl -Path "F:\Data" -ACLObject $acl

    Difference between AddAccessRule() and SetAccessRule():

    AddAccessRule SetAccessRule
    This method will add this access rule to the ACL. If a user or group has Modify permission and we use AddAccessRule() to create a new rule with Read permission the user or group will still also have Modify permissions. This method removes any existing access and replaces that access with the specified rule. If a user or group has Modify permission and a new rule is created using SetAccessRule() specifying Read permission, that user or group will now only have Read permission.