#I made a script to apply modify permissions to an ad group and to remove read
#permissions from BUILTIN\Users due to security reasons.
#Everything is häppening in local server.
#Everything works from this point to...
$ADGroup="DOMAIN\Group name"
Function Pause() {
Do {
$Continue=Read-Host"After you're ready, type Continue.`n"
If ($Continue-ne'Continue') {
Write-Host-ForegroundColor Yellow "To progress from this point on,
you have to type: "-NoNewline; Write-Host-ForegroundColor Green "Continue"
}
}
Until ($Continue-eq'Continue')
}
$Location="C:\appdir"
If (Test-Path$Location) {
$ExpandedACL=Get-Acl-Path$Location | Select-Object-ExpandProperty Access |
Where { $_.IdentityReference-eq$ADGroup-and$_.FileSystemRights-like
"*Modify*"-or $_.FileSystemRights-like"*Write*" }
If (!$ExpandedACL) {
$LocationACL=Get-Acl$Location
$LocationACL.SetAccessRuleProtection($False,$True)
$ModifyPerms=New-ObjectSystem.Security.AccessControl.
FileSystemAccessRule($ADGroup,"Modify","ContainerInherit, ObjectInherit",
"None","Allow")
$LocationACL.AddAccessRule($ModifyPerms)
Set-Acl$Location$LocationACL
}
}
Else {
New-Item-Name appdir -Path C:\ -ItemType Directory | Out-Null
$LocationACL=Get-Acl$Location
$LocationACL.SetAccessRuleProtection($False,$True)
$ModifyPerms=New-ObjectSystem.Security.AccessControl.
FileSystemAccessRule($ADGroup,"Modify","ContainerInherit, ObjectInherit",
"None","Allow")
$LocationACL.AddAccessRule($ModifyPerms)
Set-Acl$Location$LocationACL
}
Pause
#... this point. For some cryptic reason, following block gives no errors, when I
#add -Verbose to commands it will show me that everything went ok.
#But BUILTIN\Users#are not being stripped of Read permissions. However,
#when I run the script again, everything works fine from top to bottom.
#Obviously I want this to run with one go. What I was able to get from all this
#is that with first pass Set-Acl disables inheritance, but... is not able to
#disable inheritance and set permissions in oneinstance/session ?? I'm no pro
#at this, so I can only guess and it's why I ended up here :)
#BTW, some may want to suggest using icacls, but I would want to know why
#doesn't it work with PowerShell or what am I doing wrong.
[array]$XMLs= @("C:\appdir\secretfile1.xml", "C:\appdir\secretfile2.xml",
"C:\appdir\secretfile3.xml")
Foreach ($XMLin$XMLs) {
#following block is changed:
$XMLACLSec = Get-Acl $XML
$XMLACLSec.SetAccessRuleProtection($True,$True)
Set-Acl $XML $XMLACLSec
$ReadPerms = New-Object System.Security.AccessControl.FileSystemAccessRule
("BUILTIN\Users","Read","ObjectInherit","None","Allow")
$XMLACL = Get-Acl $XML
$XMLACL.RemoveAccessRuleAll($ReadPerms)
Set-Acl $XML $XMLACL
}
#Thanks
#Finally figured it out. Instead of trying to set ruleprotection and new ACL
#at once, I went step by step.
#permissions from BUILTIN\Users due to security reasons.
#Everything is häppening in local server.
#Everything works from this point to...
$ADGroup="DOMAIN\Group name"
Function Pause() {
Do {
$Continue=Read-Host"After you're ready, type Continue.`n"
If ($Continue-ne'Continue') {
Write-Host-ForegroundColor Yellow "To progress from this point on,
you have to type: "-NoNewline; Write-Host-ForegroundColor Green "Continue"
}
}
Until ($Continue-eq'Continue')
}
$Location="C:\appdir"
If (Test-Path$Location) {
$ExpandedACL=Get-Acl-Path$Location | Select-Object-ExpandProperty Access |
Where { $_.IdentityReference-eq$ADGroup-and$_.FileSystemRights-like
"*Modify*"-or $_.FileSystemRights-like"*Write*" }
If (!$ExpandedACL) {
$LocationACL=Get-Acl$Location
$LocationACL.SetAccessRuleProtection($False,$True)
$ModifyPerms=New-ObjectSystem.Security.AccessControl.
FileSystemAccessRule($ADGroup,"Modify","ContainerInherit, ObjectInherit",
"None","Allow")
$LocationACL.AddAccessRule($ModifyPerms)
Set-Acl$Location$LocationACL
}
}
Else {
New-Item-Name appdir -Path C:\ -ItemType Directory | Out-Null
$LocationACL=Get-Acl$Location
$LocationACL.SetAccessRuleProtection($False,$True)
$ModifyPerms=New-ObjectSystem.Security.AccessControl.
FileSystemAccessRule($ADGroup,"Modify","ContainerInherit, ObjectInherit",
"None","Allow")
$LocationACL.AddAccessRule($ModifyPerms)
Set-Acl$Location$LocationACL
}
Pause
#... this point. For some cryptic reason, following block gives no errors, when I
#add -Verbose to commands it will show me that everything went ok.
#But BUILTIN\Users#are not being stripped of Read permissions. However,
#when I run the script again, everything works fine from top to bottom.
#Obviously I want this to run with one go. What I was able to get from all this
#is that with first pass Set-Acl disables inheritance, but... is not able to
#disable inheritance and set permissions in oneinstance/session ?? I'm no pro
#at this, so I can only guess and it's why I ended up here :)
#BTW, some may want to suggest using icacls, but I would want to know why
#doesn't it work with PowerShell or what am I doing wrong.
[array]$XMLs= @("C:\appdir\secretfile1.xml", "C:\appdir\secretfile2.xml",
"C:\appdir\secretfile3.xml")
Foreach ($XMLin$XMLs) {
#following block is changed:
$XMLACLSec = Get-Acl $XML
$XMLACLSec.SetAccessRuleProtection($True,$True)
Set-Acl $XML $XMLACLSec
$ReadPerms = New-Object System.Security.AccessControl.FileSystemAccessRule
("BUILTIN\Users","Read","ObjectInherit","None","Allow")
$XMLACL = Get-Acl $XML
$XMLACL.RemoveAccessRuleAll($ReadPerms)
Set-Acl $XML $XMLACL
}
#Thanks
#Finally figured it out. Instead of trying to set ruleprotection and new ACL
#at once, I went step by step.