PowerShell for Windows Admins

Jul 23 2010   1:50PM GMT

Setting permissions

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

There was a question on the ITKE forum about creating folders and setting permissions.  That immediately started me thinking about a PowerShell answer

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
$trustee = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee.Domain = “RSLAPTOP01”
$trustee.Name = “Test”

$fullcontrol = 2032127
$change = 1245631
$read = 1179785

$ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
$ace.AccessMask = $fullcontrol
$ace.AceFlags = 3
$ace.AceType = 0
$ace.Trustee = $trustee

$sd = ([wmiclass]‘Win32_SecurityDescriptor’).psbase.CreateInstance()
$sd.ControlFlags = 4
$sd.DACL = $ace
$sd.group = $trustee
$sd.owner = $trustee

Get-ChildItem -Path c:\test | 
where{($_.PSISContainer) -and ($_.Name -like “test?”)} |
foreach {
    New-Item -Path $_.FullName -Name “Special” -ItemType directory
    $folder = Join-Path -Path $_.FullName -ChildPath “Special” 
    $name = $folder.Replace(“\”,“\\”)
    $fldr = Get-WmiObject -Class Win32_Directory -Filter “Name=’$name'”
    $fldr.ChangeSecurityPermissions($sd, 4)
}

I created a group called test on my machine – then used Win32_Trustee to create an object referring to the group. The creatinstance method doesn’t show on the PowerShell object so we have to drill down into the base object.

We then create an ACE defining full control and a security descriptor encompassing the ACE and the trustee.

I can loop through a folder picking off the folders that match a pattern and then create a new folder in each. After creation I set the security permission.

3  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Adding permissions - PowerShell for Windows Admins
    [...] a recent post http://itknowledgeexchange.techtarget.com/powershell/setting-permissions/ I showed how to set the permissions on a folder. Some times we just want to add [...]
    0 pointsBadges:
    report
  • moosaRaja
    I need to do this for everyone instead of specific user? How is possible to do it?
    0 pointsBadges:
    report
  • Richard Siddaway
    Put them in a group and assign the group the rights instead of a user. Then if people needing access change just modify the group membership
    6,710 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: