Setting folder permissions

18-05-2008, 07:52 PM

I've been experimenting with a couple of scripts to set folder permissions.

I've tried this from here

$acl = Get-Acl c:\temp
$permission = "domain\user","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl c:\temp

and this from here

#ChangeACL.ps1
$Right="FullControl"

#The possible values for Rights are
# ListDirectory, ReadData, WriteData
# CreateFiles, CreateDirectories, AppendData
# ReadExtendedAttributes, WriteExtendedAttributes, Traverse
# ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes
# WriteAttributes, Write, Delete
# ReadPermissions, Read, ReadAndExecute
# Modify, ChangePermissions, TakeOwnership
# Synchronize, FullControl

$StartingDir=Read-Host "What directory do you want to start at?"
$Principal=Read-Host "What security principal do you want to grant" `
"$Right to? `n Use format domain\username or domain\group"

#define a new access rule.
#note that the $rule line has been artificially broken for print purposes.
#it needs to be one line. the online version of the script is properly
#formatted.
$rule=new-object System.Security.AccessControl.FileSystemAccessRule
($Principal,$Right,"Allow")

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
$acl=get-acl $file.FullName

#Add this access rule to the ACL
$acl.SetAccessRule($rule)

#Write the changes to the object
set-acl $File.Fullname $acl
}

For the second one I get this error when trying to apply it to an inetpub folder:

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Documents and Settings\kmcfarlane\My Documents\Development\ChangeACL.ps1:29 char:21
+ $acl.SetAccessRule( <<<< $rule)
Set-Acl : The security identifier is not allowed to be the owner of this object.
At C:\Documents and Settings\kmcfarlane\My Documents\Development\ChangeACL.ps1:32 char:10
+ set-acl <<<< $File.Fullname $acl

For the first script I just get the first part of that error. Any ideas?
--
Kevin

19-05-2008, 08:52 AM

NewWorldMan wrote:
> I've been experimenting with a couple of scripts to set folder permissions.
>
> I've tried this from here
>
>
> |$acl = Get-Acl c:\temp
> $permission = "domain\user","FullControl","Allow"
> $accessRule = New-Object
> System.Security.AccessControl.FileSystemAccessRule $permission
> $acl.SetAccessRule($accessRule)
> $acl | Set-Acl c:\temp|

This one is shorter...

Works for me.

So, does "domain\user" exist in your environment? That syntax supposes
that you are adding a *domain* account with that username.

Marco

--
Microsoft MVP - Windows PowerShell

PowerGadgets MVP

Blog:

18-05-2008, 07:52 PM	#1
NewWorldMan Guest Posts: n/a	Setting folder permissions I've been experimenting with a couple of scripts to set folder permissions. I've tried this from here $acl = Get-Acl c:\temp $permission = "domain\user","FullControl","Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl \| Set-Acl c:\temp and this from here #ChangeACL.ps1 $Right="FullControl" #The possible values for Rights are # ListDirectory, ReadData, WriteData # CreateFiles, CreateDirectories, AppendData # ReadExtendedAttributes, WriteExtendedAttributes, Traverse # ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes # WriteAttributes, Write, Delete # ReadPermissions, Read, ReadAndExecute # Modify, ChangePermissions, TakeOwnership # Synchronize, FullControl $StartingDir=Read-Host "What directory do you want to start at?" $Principal=Read-Host "What security principal do you want to grant" ` "$Right to? `n Use format domain\username or domain\group" #define a new access rule. #note that the $rule line has been artificially broken for print purposes. #it needs to be one line. the online version of the script is properly #formatted. $rule=new-object System.Security.AccessControl.FileSystemAccessRule ($Principal,$Right,"Allow") foreach ($file in $(Get-ChildItem $StartingDir -recurse)) { $acl=get-acl $file.FullName #Add this access rule to the ACL $acl.SetAccessRule($rule) #Write the changes to the object set-acl $File.Fullname $acl } For the second one I get this error when trying to apply it to an inetpub folder: Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated." At C:\Documents and Settings\kmcfarlane\My Documents\Development\ChangeACL.ps1:29 char:21 + $acl.SetAccessRule( <<<< $rule) Set-Acl : The security identifier is not allowed to be the owner of this object. At C:\Documents and Settings\kmcfarlane\My Documents\Development\ChangeACL.ps1:32 char:10 + set-acl <<<< $File.Fullname $acl For the first script I just get the first part of that error. Any ideas? -- Kevin

19-05-2008, 08:52 AM	#2
Marco Shaw [MVP] Guest Posts: n/a	Re: Setting folder permissions NewWorldMan wrote: > I've been experimenting with a couple of scripts to set folder permissions. > > I've tried this from here > > > \|$acl = Get-Acl c:\temp > $permission = "domain\user","FullControl","Allow" > $accessRule = New-Object > System.Security.AccessControl.FileSystemAccessRule $permission > $acl.SetAccessRule($accessRule) > $acl \| Set-Acl c:\temp\| This one is shorter... Works for me. So, does "domain\user" exist in your environment? That syntax supposes that you are adding a domain account with that username. Marco -- Microsoft MVP - Windows PowerShell PowerGadgets MVP Blog:

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

New To Site?	Need Help?
Register to Participate Meet our Staff Refer Forum Rules Contact Us	Frequently Asked Questions Did you forget your password? Mark Forums Read

Setting folder permissions

Microsoft Windows Powershell