powershellcmdfile-security

Add security permissions to nested folders


I have a situation like this:

folder1(top folder, user1: full access, user2: full access, user3: full access, system:full)

folder2(nested in folder1, user1:full, user2:full, no inheritance)

folder3(nested in folder1, user3:full, no inheritance)

folder4(nested in folder2, user2: full, no inheritance)

its a file server with fairly complicated user and permission structure.

What i'd like to do(via powershell or cmd) would be to add system:full permission to all files and folders missing it recursively throughout the folder. The file share has 50k folders and 950k files so recreating it from scratch would take forever. The problem is i can't just override inheritance since that would reset all the user settings. Is there a way to run a script that would add permission on all items that are missing it without changing permissions allready set on the folder? I assume i'll also need to take ownership of files i have no control over.


Solution

  • You can iterate through all the folders with the Get-ChildItem cmdlet, and examine each ACL, adding the permission where needed, but you will have to drop down to .Net classes and methods for some pieces.

    Assuming that you can just set the ACL on the immediate parent directory and allow the files to inherit (not the sub folders), you can do this:

    $identity = "NT AUTHORITY\\SYSTEM"
    $basePath = "U:\\"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $identity,"FullControl","ObjectInherit","None","Allow"
    foreach($folder in Get-ChildItem -Path $basePath -Recurse -Directory)
    {
        $acl = $folder.GetAccessControl("Access")
        if(!($acl.Access | ? { $_.IdentityReference -eq $identity -and $_.FileSystemRights -eq "FullControl" }))
        {
            $acl.AddAccessRule($accessRule)
            $folder.SetAccessControl($acl)
        }
    }
    

    The rule $accessRule is saying apply this setting to the folder and all immediate child files. See this stackoverflow question for info regarding the inheritance flags used to create $accessRule

    If you need to set each file individually (I sincerely hope you don't have to deal with that), you can modify the above slightly:

    $identity = "NT AUTHORITY\\dd"
    $basePath = "U:\\"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $identity,"FullControl","None","None","Allow"
    foreach($folder in Get-ChildItem -Path $basePath -Recurse)
    {
        $acl = $folder.GetAccessControl("Access")
        if(!($acl.Access | ? { $_.IdentityReference -eq $identity -and $_.FileSystemRights -eq "FullControl" }))
        {
            $acl.AddAccessRule($accessRule)
            $folder.SetAccessControl($acl)
        }
    }