Remove and set ACL on folder powershell

spiceuser-zf1zb · 2021-06-18T06:48:57.000Z

Hi!

So I wanted to make a script that creates sub folders on several folders. Then remove rights and add in specifc ones. So far I got the script to make the folder and disable inheritence.

Now I want to remove all the current groups from the folder and add in new ones. ex Group1, Group2, Admins

How can I do this? (Full script below)

Import-Module ActiveDirectory

$folders = Get-ChildItem "\\Server\Companies"

foreach ($folder in $folders ) {

New-Item -Name "NewSubFolder" -path ($folder.fullname+\test") -ItemType Directory -Verbose 

icacls ($folder.fullname+"\NewSubFolder\test") /inheritance:d 

}

Best Regards

Neally · 2021-06-18T12:27:53.000Z

If you post code, please use the ‘Insert Code’ button. Please and thank you!

Rather than just posting the code, can you elaborate where exactly you are stuck?

Seems you are getting folders and you are setting some permissions with icacls (which is not powershell)

Have you tried to set it for a single folder first?

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don't say "Need help" or "PowerShell Help", actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy, past…

spiceuser-zf1zb · 2021-06-21T05:24:48.000Z

Hi!

Thanks, I’ve updated the orignal post with import code. (Thanks didn’t know this).

Well what im stuck with is that I can’t figure out icacls. I can’t get it to remove current rights and set new ones.

Best Regards

gary-m-g · 2021-06-21T13:18:57.000Z

You have to get all the existing permissions because you’ll have to user icacls /remove:g SID for grranted permissions and icacls /remove:d SID for Denies.
(Get-ACL).Access

Best you set up a test data store to play with this and learn exactly what you’re doing before attacking live, production data. ;-}

Neally · 2021-06-21T13:25:55.000Z

spiceuser-zf1zb:

what im stuck with is that I can’t figure out icacls

What have you tried?

Take a test folder to play with

https://ss64.com/nt/icacls.html

ICACLS ("$FOLDER") /$ACTION ("$username" + ':(OI)(CI)F') /T

Do you want to remove specific users, or remove inheritance?

icacls ("\\server\share\folder") /inheritance:d

/inheritance:e|d|r
          e - Enable inheritance
    **d - Disable inheritance and copy the ACEs** 
          r - Remove all inherited ACEs

really all you need is documented, you just have to play around with it.

Give it a shot an post what you have tried if you get stuck again.

jitensh · 2021-06-21T14:13:42.000Z

a sequence of simple rights:

 D - Delete access
                F - Full access (Edit_Permissions+Create+Delete+Read+Write)
                N - No access
                M - Modify access (Create+Delete+Read+Write)
                RX - Read and eXecute access
                R - Read-only access
                W - Write-only access
        a comma-separated list in parentheses of specific rights:
                DE - Delete
                RC - read control
                WDAC - write DAC

example: disable inheritance and giving domain admins groups full rights

icacls c:\folder /inheritance:r --%   /grant:r "domain admins":(OI)(CI)F

spiceuser-zf1zb · 2021-06-22T05:44:33.000Z

Thanks everyone. I figured it out.

Went with a diffrent option in the end tho.

Best Regards

Neally · 2021-06-22T05:46:58.000Z

spiceuser-zf1zb:

Thanks everyone. I figured it out.

Went with a diffrent option in the end tho.

Best Regards

glad you got it figured out.

dare to share?

spiceuser-zf1zb · 2021-06-22T05:57:58.000Z

Made a folder with the correct rights and used robocopy. Works for the intended use as of now

BR