PowerShell To Set Folder Permissions

Question

I am trying to use the "default" options in applying folder permissions; by that, I mean that using the "Full Controll, Write, Read, etc" in the 'Properties' for a folder.

The following script works to add the user in, but it applies "Special Permissions" - not the ones with the tick boxes for the ones visible in the properties menu of the folder:

$Acl = Get-Acl "\\R9N2WRN\Share"

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule ("user","FullControl","Allow")

$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl

What am I doing wrong please?

score 122 · Accepted Answer · edited Dec 28 '21 at 14:03

Specifying inheritance in the FileSystemAccessRule() constructor fixes this, as demonstrated by the modified code below (notice the two new constuctor parameters inserted between "FullControl" and "Allow").

$Acl = Get-Acl "\\R9N2WRN\Share"

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")

$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl

According to this topic

"when you create a FileSystemAccessRule the way you have, the InheritanceFlags property is set to None. In the GUI, this corresponds to an ACE with the Apply To box set to "This Folder Only", and that type of entry has to be viewed through the Advanced settings."

I have tested the modification and it works, but of course credit is due to the MVP posting the answer in that topic.

Mike L'Angelo · Answer 2 · 2023-04-19T13:47:00.623

Referring to Gamaliel 's answer: $args is a powershell automatic variable which contains an array of values for undeclared parameters that are passed to a script, scriptblock or function at runtime - as such cannot be used the way Gamaliel is using it. This is actually working:

$myPath = 'C:\whatever.file'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "Domain\User","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl

score 7 · Answer 3 · edited Dec 28 '21 at 14:04

7

Another example using PowerShell for set permissions (File / Directory) :

Verify permissions

Get-Acl "C:\file.txt" | fl *

Apply full permissions for everyone

$acl = Get-Acl "C:\file.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\file.txt"

Screenshots:

Hope this helps

edited Dec 28 '21 at 14:04

Jérémie Bertrand

3,025
3
44
53

answered Mar 09 '18 at 07:10

Gamaliel

455
6
5

2

This does not appear to work - it ended up with "special permissions" set for the user, not full control. – Mark Hughes May 16 '18 at 11:32
Thanks for your comments, I just want to share another example whos could be adaptative to set permissions that can be usefull and it works for me. – Gamaliel May 17 '18 at 16:03
Interesting, I wonder why it didn't work for me - maybe I did it wrong! – Mark Hughes Jun 08 '18 at 17:37
the accessRule line returns: constructor not found – Bub Espinja Oct 17 '18 at 14:02
Sorry all, I'm just trying to remedy my mistake. – Gamaliel Apr 26 '19 at 06:21
1

Here is a set of arguments: https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/ – mggluscevic Apr 11 '21 at 17:56

score 6 · Answer 4 · edited Aug 30 '22 at 10:17

In case you need to deal with a lot of folders containing subfolders and other recursive stuff. Small improvement on @Mike L'Angelo:

$mypath = "path_to_folder"
$myacl = Get-Acl $mypath
$myaclentry = "username","FullControl","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force | Set-Acl -AclObject $myacl -Verbose

Verbosity is optional in the last line

NatiZekri · Answer 5 · 2022-06-26T11:11:23.850

2

This One work for me

$path = "C:\test"
$name = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl "C:\test"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($name,"FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\test"
Get-ChildItem -Path "$path" -Recurse -Force | Set-Acl -aclObject $acl -Verbose

edited Jun 26 '22 at 11:11

answered Jun 26 '22 at 11:10

NatiZekri

21
2

This worked perfectly for me where the others didn't. It's really in the `$accessRule` setting. I also appreciate that this one keeps access for the logged in user since I'd prefer to restrict that way. – tlbignerd Aug 05 '22 at 11:57

score -2 · Answer 6 · edited Dec 28 '21 at 14:05

-2

$path = "C:\DemoFolder"
$acl = Get-Acl $path
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Attribs = $username, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
$AccessRule = New-Object System.Security.AcessControl.FileSystemAccessRule($Attribs)
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
Get-ChildItem -Path "$path" -Recourse -Force | Set-Acl -aclObject $acl -Verbose

edited Dec 28 '21 at 14:05

Jérémie Bertrand

3,025
3
44
53

answered Aug 26 '19 at 03:25

Norman

1

Downvoting just because there's a typo here and the edit queue is full. The last line should be `Get-ChildItem -Path "$path" -Recurse -Force | Set-Acl -aclObject $acl -Verbose` – tlbignerd Aug 05 '22 at 11:58

PowerShell To Set Folder Permissions

6 Answers6

Verify permissions

Apply full permissions for everyone

Linked

Related