For my sins I’ve been asked to modify about 300 folders on our SAN. So I immediately went looking for a PowerShell method of doing this and I can see when I use

$ACL = Get-Acl

$ACL | Get-Member

I can then see there is a method called ModifyAccessRule, but no where on the net I’ve seen so far explains how to do this. It’s beginning to look like I’m going to start removing the ACL’s and then put new ones in place. We have Terabytes of data to modify in these folders, someone please save me from myself !

Amazing sometimes how the internet only gives you the answer if you’re truly desperate and you are strong in the Force of Google. Found an answer here:

Regards,

Mike

12 Spice ups

Ok you good bruh?

2 Spice ups

Yeah, I’m good. Thanks to everyone who had a look at this :wink:

2 Spice ups

So an afternoon spent coding came up with this, please feel free to use it if it helps:

$FileShares = Import-Csv C:\Mike\Shares.csv
$Permission = "ReadAndExecute, Synchronize"

ForEach ($Share in $FileShares)
{
	If (Test-Path Z:\)
	{
		Net Use Z: /d /yes | Out-Null
	}
	
	Net Use Z: $Share.FileShare | Out-Null
	
	
	If (Test-Path Z:\)
	{
		If ((Get-NTFSInheritance -Path Z:).AccessInheritanceEnabled -eq $true)
		{
			Write-Host "Updating the Inheritance for $($Share.FileShare)..."
			Disable-NTFSAccessInheritance -Path z:\ -RemoveInheritedAccessRules:$false
		}
		
		$ACL = $null = Get-Acl Z:\
		
		ForEach ($ACE in $ACL.Access)
		{
			If ((($ACE.IdentityReference -notlike "CORP-XXX\Domain Admins") `
					-and ($ACE.IdentityReference -notlike "CORP-XXX\XXX_DELEGATED_ADMIN") `
					-and ($ACE.IdentityReference -notlike "CREATOR OWNER") `
					-and ($ACE.IdentityReference -notlike "NT AUTHORITY\*") `
					-and ($ACE.IdentityReference -notlike "BUILTIN\*") `
					-and ($ACE.IdentityReference -notlike "NT SERVICE\*") `
					-and ($ACE.IdentityReference -notlike "APPLICATION PACKAGE AUTHORITY\*") `
					-and ($ACE.IdentityReference -notlike "S-1-5-21*")) `
					-and ($ACE.FileSystemRights -ne "ReadAndExecute, Synchronize"))
			{
				Write-Host "Changing $($ACE.IdentityReference) access rights to $($Permission)..." -ForegroundColor Yellow
				
				$Access = $null = $ACE.IdentityReference
				$Allinherit = $null = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
				$Allpropagation = $null = [system.security.accesscontrol.PropagationFlags]"None"
				$AccessRule = $null = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $Permission, $AllInherit, $Allpropagation, "Allow")
				
				$AccessModification = New-Object system.security.AccessControl.AccessControlModification
				$AccessModification.value__ = 2
				$Modification = $False
				$ACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification)
			}
		}
		
		Write-Output "Modifying ACL for $($Share.FileShare)..."
		Set-Acl -Path Z:\ -AclObject $ACL
	}
}

Regards,

Mike

5 Spice ups

Thanks for providing a solution! Good luck with your task, hope all goes (or went) well!

1 Spice up

For those who stumble across this post, I heartily recommend this powershell module written by a (former?) Microsoft Employee:

It is way more functional and you can do stuff like this:

add-ntfsaccess -path \\server.domain.com\sharename\filder -Account DOMAIN\groupname -AccessRights Modify,Synchronize -AccessType Allow -InheritanceFlags ObjectInherit,ContainerInherit -PropagationFlags None
4 Spice ups

Are you tasked to change rights on a file server or on a SAN (or the file server is on SAN) ?

But when you say modify (I assume its a Windows file server), what do you want to modify in the first place ?

It all depends on what you want to remove and what you want to replace them with ?

While using powershell might be a faster method (like a batch file), it gives you lesser control (as compared to using GUI from Windows Explorer) and more prone to spelling error and/or syntax errors ?

If you have down time, I would just use Windows Explorer and take ownership (may let it run over the weekend). Then at certain lower (or share roots) set the permissions using Domain Groups (like d:\share\IT, put rights to Domain Security “IT group”).

1 Spice up