So I am trying to create a few functions. The purpose of them is to reset permissions on a home folder, or similar, once the user has somehow removed permissions and ownership for everyone, but themselves. Ultimately, it is likely going to be used when an employee leaves as part of my Employee termination script. The first script "Take-Ownership" I have working in thread http://social.technet.microsoft.com/Forums/en-US/27242982-a99b-48ee-8b45-27497806430f/under the heading, "Taking Ownership of folders and files." That script only changes ownership.
So now I need to override and set permissions on the top folder. Then recurse through all folders and files and remove all "non-inherited" permissions, WHILE SETTING THE INHERITANCE to inherit from parent. This seems to be where I am failing!
The script does remove the non-inherited permissions, but if the folders have the "Include inheritable permissions from this object's parent" unchecked the folders remain inaccessible and my script does not check the box.
So I started my script using code I found on the forums http://social.technet.microsoft.com/Forums/en-US/96017fc4-58ab-49bf-9fac-ccb2a7529f35/, under the heading, "Can the GUI operation 'replace permission entries on all child objects with entries shown here that apply to child objects' be scripted in PowerShell?'" As mentioned I have it to the point of setting the permission on the TopFolder and removing the ACLs that are non-inherited on all subfolders and files. I am not able to get those folders and folders to inherit if the inherit box isn't checked. If the inherit box is checked, the script works as intended.
I guess the real question is how do I force inheritance WITHOUT applying any permissions directly to the folders and files, ONLY inheriting the Parent permissions?
Folder layout:
D:\Permissions\TopFolder
D:\Permissions\TopFolder\FirstFolder
D:\Permissions\TopFolder\FirstFile.txt
D:\Permissions\TopFolder\FirstFolder\SecondFolder
D:\Permissions\TopFolder\FirstFolder\SecondFile.txt
D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFolder
D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFile.txt
D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFolder\HiddenFolder
D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFolder\HiddenFolder.txt
Code so far:
$Path = "D:\Permissions\TopFolder"
# Get-Acl D:\foo\dir1 | Set-Acl -path $Path
# Setup new access rule to add to folder ACL
# documentation: http://msdn.microsoft.com/en-us/library/System.Security.AccessControl(v=vs.110).aspx
$account = "DOMAIN\username"
$rights = [System.Security.AccessControl.FileSystemRights]::FullControl
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]::None
$allowdeny = [System.Security.AccessControl.AccessControlType]::Allow
$dirACE = New-Object System.Security.AccessControl.FileSystemAccessRule( $account,$rights,$inheritance,$propagation,$allowdeny )
# Get the directories current permissions and add the access rule
$dirACL = Get-Acl $Path
# Add the new AccessRule to the Directory ACL, suppressing errors and trying again until success
$Try = 0
do {
$Try++"Try: $Try"
$ACLCheck = $True
Start-Sleep -Milliseconds 500
Try { $dirACL.AddAccessRule($dirACE) }
Catch [System.Exception] { $ACLCheck = $False }
} while( $ACLCheck -eq $False )
# Set (commit changes) the ACL on the folder
Set-Acl $Path -AclObject $dirACL
"Path: $Path"
#Search recursivly through location defined;
Get-ChildItem -Recurse -Force $Path | foreach {
$TempPath = $_.FullName
"Path: $TempPath"
#Get ACL for TempPath
$acl = Get-Acl $TempPath
$acl
#Get SID of explicit ACL
$acl.Access | where {
$_.IsInherited -eq $false } | foreach {
#Foreach SID purge the SID from the ACL
$acl.PurgeAccessRules($_.IdentityReference)
#Reapply ACL to file or folder without SID
Set-Acl -AclObject $acl -path $TempPath
}
}Thanks for the help in advance!
Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.