-
Notifications
You must be signed in to change notification settings - Fork 0
/
UserFolderACLs.ps1
145 lines (108 loc) · 4.95 KB
/
UserFolderACLs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<#PSScriptInfo
.VERSION 0.3.2
.GUID 822e92d8-2cbd-4db1-9c78-ccbe1a200acd
.AUTHOR Sam Petch
.COMPANYNAME
.COPYRIGHT
.TAGS
.LICENSEURI
.PROJECTURI https://github.com/Invertee/UserFolderACLs
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
#>
<#
.DESCRIPTION
Sets ACLs on userdata held on a file server with the corresponding user.
#>
Param(
[parameter(Mandatory=$true)] $Folder,
[parameter()] [array] $AdditionalDomainGroups,
[parameter()] [switch] $DontAddAdmins,
[parameter()] [switch] $DontDisableInheritance,
[parameter()] [switch] $DontRemoveCurrentACLs,
[parameter()] [switch] $DontChangeOwner
)
$key = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name 'LongPathsEnabled' -ErrorAction SilentlyContinue
if (!($key) -or ($key.LongPathsEnabled -eq 0) ) {
Write-Warning "Support for long file paths is disabled. Consider turning this on:
https://www.intel.com/content/www/us/en/programmable/support/support-resources/knowledge-base/ip/2018/how-do-i-extend-windows-server-2016-file-path-support-from-260-t.html"
}
#$ErrorActionPreference = 'Stop'
$Directory = $Folder
$Userfolders = Get-ChildItem $Folder -Directory
$results = @()
Write-Warning "You are about to change permissions on $($Userfolders.Count) folders, continue?" -WarningAction Inquire
Foreach ($Folder in $Userfolders) {
Write-host "`nSetting permissions for folder: $Folder" -NoNewline
$Success = 0
$derror = $null
$Username = $env:userdomain + '\' + $Folder.BaseName
if ($Username -match '.v[1-8]') { $Username = $Username -replace '.{3}$' }
$ACL = Get-ACL $Folder.FullName
Try {
if (!($DontChangeOwner)) {
$ACL.SetOwner([System.Security.Principal.NTAccount]"$Username")
}
if (!($DontDisableInheritance)) {
$ACL.SetAccessRuleProtection($true,$false)
}
if (!($DontRemoveCurrentACLs)) {
$ACL.Access | Foreach-Object { $ACL.RemoveAccessRule($_) | Out-Null}
Set-ACL $Folder.FullName $ACL -ErrorAction Stop
$ACL = Get-ACL $Folder.FullName
}
if ($AdditionalDomainGroups) {
Foreach ($Group in $AdditionalDomainGroups)
{
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$env:userdomain\$Group","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
}
}
# Adds Permissions for User
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Username,"FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
if (!($DontAddAdmins)) {
## Adds Permissions for domain admin group
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$env:userdomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
## Adds Permissions for Administrators group
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
}
## Adds Permissions for system group
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
Set-ACL $Folder.FullName $ACL -ErrorAction Stop
$Inner = Get-ChildItem $Folder.FullName -Recurse
Try {
Foreach ($InnerItem in $Inner)
{
Set-Acl $InnerItem.FullName $ACL
$Success++
Write-host "`r$Folder - Applying files processed $success items" -NoNewline -ForegroundColor Green
}
write-host "`r$Folder permissions complete. $success items proccessed." -NoNewline -ForegroundColor Green
} catch {
$derror = "$InnerItem - " + $_.Exception.Message
}
} Catch
{
if ($_ -match 'Some or all identity references could not be translated') {
write-host "`rFolder $Folder failed. - Can't match folder with username" -NoNewline -ForegroundColor red
}
if ($_ -match 'privilege which is required for this operation.') {
write-host "`r Folder $Folder failed. - Access is denied" -NoNewline -ForegroundColor red
}
$derror = "$InnerItem - " + $_.Exception.Message
}
$folderResult = [PSCustomObject]@{
Folder = $Folder.Fullname
"Successful Files " = $Success
"Errors" = $derror
}
$results += $folderResult
}
$results | ConvertTo-Html -CssUri 'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' | Out-File -FilePath "$Directory\ACLReport.html" -Force