2

I would like this powershell script to create a new directory, and add/assign permissions with a group.

The group is adding, but the permissions are not showing under Properties on the Security tab. If going to Advances security the permissions do show there.

Also, the parent folder permissions are not being removed from the new child folder as desired.

$groups = "DOMAIN\GROUP"
$Perm = "MODIFY"
$Permission = [System.Security.AccessControl.FileSystemRights] $Perm
$AllInherit = [System.Security.AccessControl.InheritanceFlags] "None"
$AllPropagation = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$path = "c:\temp\test"
new-item -path $path -itemtype directory -force
$group = $groups
$GetACL = Get-Acl $Path
$Access = New-Object System.Security.Principal.NTAccount ($group)
$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $perm, $AllInherit, $Allpropagation, "Allow")
$GetACL.SetAccessRule($AccessRule)
SET-ACL -PATH $path $getacl
Improve this question
1
  • In addition, the InheritOnly propagation is not being properly set. Commented Oct 15, 2015 at 19:25

1 Answer 1

Reset to default
1

Here's a function I wrote for a similar purpose:

function Add-AclEntry {
    # Adds a new entry to the specified file system object ACL. For
    # folders the new permissions are applied recursively.
    # Returns: null.
    param(
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [String]$sPath,

        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        # Access group (full notation).
        [String]$sGroup,

        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        # List of access rights, comma separated.
        [String]$sRights,

        [Parameter(Mandatory=$false)]
        [ValidateSet("Allow", "Deny")]
        [String]$sType = "Allow"
    )

    $cRights = [System.Security.AccessControl.FileSystemRights]$sRights
    $oType = [System.Security.AccessControl.AccessControlType]::$sType
    $oGroup = New-Object -TypeName System.Security.Principal.NTAccount($sGroup)

    # Inheritance flags: full inheritance.
    if ((Get-Item $sPath).PSIsContainer) {
        $oInheritanceFlags = (`
             [System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
        -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
    } else {
        $oInheritanceFlags = `
            [System.Security.AccessControl.InheritanceFlags]::None
    }
    $oPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None

    # Creating access control entry and adding it to the ACL.
    $oAce = New-Object `
        -TypeName System.Security.AccessControl.FileSystemAccessRule `
        ($oGroup, $cRights, $oInheritanceFlags, $oPropagationFlags, $oType)
    $oAcl = Get-Acl -Path $sPath
    $oAcl.AddAccessRule($oAce)
    Set-Acl -Path $sPath -AclObject $oAcl

    return $null
}

Example usage (adding Modify permissions for Authenticated Users group):

$sGroup = "NT AUTHORITY\Authenticated Users"
$sRights = "Delete, Read, Traverse, Write"
Add-AclEntry -sPath $sFolder -sGroup $sGroup -sRights $sRights

Hope that helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.