I have an environment where Orchestrator is implemented and things are automated like creating folders/sub-folders and setting permissions.
This is nice if you need to create one folder(with sub-folders), but in the first instance I need to create 1500 folders.
I grabbed some PS scripts out of orchestrator, but they need to be adjusted to work.
I have now created a script which creates all root folders and underlying sub-folders.
But I still need to set permissions on it.
One script assigns root folder permissions and the other does that for all sub-folders.
the sub-folder script uses a csv file which contains the following:
<subfoldername>,AD-group-read,AD-group-modify
and so on.
they do not work yet, because they were made for working with orchestrator and used variables to get some data.
I hope someone can help me out and get this working.
################# root folder permissions #####################
#------------------------------------------------------------
# Variable
#------------------------------------------------------------
#root folder
$root = "d:\rootfolder"
#-----------------------------------------------------------
#permissions on folders
# SetAccessRuleProtection
#true,true = block inherance, keep existing
#False,False = keep inherance, delete existing
#-------------------------------------------------------------
# Build permissions
#-----------------------------------------------------------
$correctACLs = Get-Acl $root
$correctACLs.SetAccessRuleProtection($True,$False)
$Rule_Admin = New-Object Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",@("FullControl"),"ContainerInherit, ObjectInherit","None","Allow")
$Rule_System = New-Object Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",@("FullControl"),"ContainerInherit, ObjectInherit","None","Allow")
$Rule_Full = New-Object Security.AccessControl.FileSystemAccessRule("<domain\group1",@("FullControl"),"ContainerInherit, ObjectInherit","None","Allow")
$Rule_list = New-Object Security.AccessControl.FileSystemAccessRule("<domain\group2>",@("ListDirectory"),"ContainerInherit, ObjectInherit","None","Allow")
$correctACLs.AddAccessRule($Rule_Admin)
$correctACLs.AddAccessRule($Rule_System)
$correctACLs.AddAccessRule($Rule_Full)
$correctACLs.AddAccessRule($Rule_list)
#-----------------------------------------------------------
# Apply permissions
#-----------------------------------------------------------
Set-Acl $root $correctACLs
################# sub folder permissions #####################
#------------------------------------------------------------
# Variable
#------------------------------------------------------------
#root folder
$root = "d:\rootfolder"
#Import CSV
$foldercsv = "d:\subfolders_permissions.csv"
$PropagationFlagadmin = [System.Security.AccessControl.PropagationFlags]::None
$PropagationFlagsystem = [System.Security.AccessControl.PropagationFlags]::None
$PropagationFlagfull = [System.Security.AccessControl.PropagationFlags]::None
$PropagationFlagmodify = [System.Security.AccessControl.PropagationFlags]::inheritOnly
$PropagationFlagcreatefiles = [System.Security.AccessControl.PropagationFlags]::None
$PropagationFlagcreatedirectories = [System.Security.AccessControl.PropagationFlags]::None
$PropagationFlagread = [System.Security.AccessControl.PropagationFlags]::None
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$objType_deny = [System.Security.AccessControl.AccessControlType]::Deny
#-------------------------------------------------------------
#Rechten op folders
# SetAccessRuleProtection
#true,true = block inherance, keep existing
#False,False = keep inherance, delete existing
#-------------------------------------------------------------
$Permissions = Import-Csv $foldercsv -delimiter ','
ForEach ($line in $Permissions)
{
$targetfolder = $line.foldername
$correctACLs = Get-Acl $root\$targetfolder
#-----------------------------------------------------------
# Build permissions
#-----------------------------------------------------------
$correctACLs.SetAccessRuleProtection($True,$False)
$Rule_Admin = New-Object Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",@("FullControl"),$InheritanceFlag, $PropagationFlagadmin, $objType)
$Rule_System = New-Object Security.AccessControl.FileSystemAccessRule ("NT AUTHORITY\SYSTEM",@("FullControl"),$InheritanceFlag, $PropagationFlagsystem, $objType)
$Rule_ReadEx = New-Object System.Security.AccessControl.FileSystemAccessRule ("<domain\group1>","ReadAndExecute", $InheritanceFlag, $PropagationFlagfull, $objType)
$Rule_Full = New-Object System.Security.AccessControl.FileSystemAccessRule ("<domain\group2>","FullControl", $InheritanceFlag, $PropagationFlagfull, $objType)
$Rule_modify = New-Object System.Security.AccessControl.FileSystemAccessRule $line.Modify,"Modify", $InheritanceFlag, $PropagationFlagmodify, $objType
$Rule_createfiles= New-Object System.Security.AccessControl.FileSystemAccessRule $line.Modify,"Createfiles", $InheritanceFlag, $PropagationFlagcreatefiles, $objType
$Rule_createdirectories= New-Object System.Security.AccessControl.FileSystemAccessRule $line.Modify,"Createdirectories", $InheritanceFlag, $PropagationFlagcreatedirectories, $objType
$Rule_read = New-Object System.Security.AccessControl.FileSystemAccessRule $line.Read,"ReadAndExecute", $InheritanceFlag, $PropagationFlagread, $objType
$correctACLs.AddAccessRule($Rule_Admin)
$correctACLs.AddAccessRule($Rule_System)
$correctACLs.AddAccessRule($Rule_full)
$correctACLs.AddAccessRule($Rule_modify)
$correctACLs.AddAccessRule($Rule_createfiles)
$correctACLs.AddAccessRule($Rule_createdirectories)
$correctACLs.AddAccessRule($Rule_read)
$correctACLs.AddAccessRule($Rule_ReadEx)
#-----------------------------------------------------------
# Apply permissions
#-----------------------------------------------------------
Set-Acl $root\$targetfolder $correctACLs
}
################################################