Jul 23 2010 1:50PM GMT

Setting permissions

Posted by: Richard Siddaway

There was a question on the ITKE forum about creating folders and setting permissions. That immediately started me thinking about a PowerShell answer

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

$trustee = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()

$trustee.Domain = “RSLAPTOP01″

$trustee.Name = “Test”
$fullcontrol = 2032127

$change = 1245631

$read = 1179785
$ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()

$ace.AccessMask = $fullcontrol

$ace.AceFlags = 3

$ace.AceType = 0

$ace.Trustee = $trustee
$sd = ([wmiclass]‘Win32_SecurityDescriptor’).psbase.CreateInstance()

$sd.ControlFlags = 4

$sd.DACL = $ace

$sd.group = $trustee

$sd.owner = $trustee
Get-ChildItem -Path c:\test | 

where{($_.PSISContainer) -and ($_.Name -like “test?”)} |

foreach {

    New-Item -Path $_.FullName -Name “Special” -ItemType directory

    $folder = Join-Path -Path $_.FullName -ChildPath “Special” 

    $name = $folder.Replace(“\”,“\\”)

    $fldr = Get-WmiObject -Class Win32_Directory -Filter “Name=’$name’”

    $fldr.ChangeSecurityPermissions($sd, 4)

}

I created a group called test on my machine – then used Win32_Trustee to create an object referring to the group. The creatinstance method doesn’t show on the PowerShell object so we have to drill down into the base object.

We then create an ACE defining full control and a security descriptor encompassing the ACE and the trustee.

I can loop through a folder picking off the folders that match a pattern and then create a new folder in each. After creation I set the security permission.

Comment

RSS Feed

Email a friend

PowerShell for Windows Admins

Setting permissions

Comment on this Post

About This Blog

Browse This Blog’s Tags

Archives

Blog Roll

Subscribe to Alerts