3

Being a total novice of Powershell I am trying to put together a script using the below script from various TechNet script examples:

$FolderPath = 'c:\folder'

$Shares=[WMICLASS]'WIN32_Share'

$ShareName='Home$'

New-Item -type directory -Path $FolderPath

$Shares.Create($FolderPath,$ShareName,0)

$Acl = Get-Acl $FolderPath
$Acl.SetAccessRuleProtection($True, $False)
$rule = New-Object   System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.AddAccessRule($rule)

Set-Acl $FolderPath $Acl
Get-Acl $FolderPath  | Format-List

The above script works quite well in terms of creating the folder and sets the permissions as:

Share: Everyone "Full"
NTFS: Users "Read"

I can't seem to figure out how to apply the below permissions, I am struggling with the parameters for System.Security.AccessControl.FileSystemAccessRule to set the below NTFS permissions.

Set Share permissions:  
Authenticated Users: change
Administrators: full control

Set NTFS permissions: 
Administrators: full control
SYSTEM: full control
Authenticated users: list folder/read data & create folders/append data, this folder only
Creator/Owner: full control, subfolders and files only

Any help will be greatly appreciated. Thanks in advance.

Manoj Mnoj
  • 33
  • 1
  • 1
  • 3

1 Answers1

0

You could have solved this yourself if you had tried to search. I've created an answer for share permissions earlier here, and NTFS permissions are easily found too. Try this:

#Local path
$FolderPath = 'c:\folder'

$Shares=[WMICLASS]'WIN32_Share'
#Share name
$ShareName='Home$'

#Create folder
New-Item -type directory -Path $FolderPath

#Create share rights

#Define a trustee (person/group to give access right)
$trustee = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee.Domain = "NT Authority"
$trustee.Name = “Authenticated Users”

#Define an access control entry (permission-entry)
$ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
#Modify-rights
$ace.AccessMask = 1245631
#Inheritance for folders and files
$ace.AceFlags = 3
$ace.AceType = 0
#Assign rights to Authenticated users ($trustee)
$ace.Trustee = $trustee

$trustee2 = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee2.Domain = "BUILTIN"  #Or domain name
$trustee2.Name = “Administrators”

$ace2 = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
#Full control
$ace2.AccessMask = 2032127
$ace2.AceFlags = 3
$ace2.AceType = 0
#Assign rights to Administrators ($trustee2)
$ace2.Trustee = $trustee2

#Create ACL/security descriptor. This is the security-definitions that you set on the share.
$sd = ([wmiclass]‘Win32_SecurityDescriptor’).psbase.CreateInstance()
#Specify that a DACL (ACL/security/permissions) are available, so the share isn't set to full access for everyone
$sd.ControlFlags = 4
#Add our rules
$sd.DACL = $ace, $ace2
#Set Administrators ($trustee2) as owner and group of ITEM (will be the share)
$sd.group = $trustee2
$sd.owner = $trustee2

#Create share with the security rules
$shares.create($FolderPath, $ShareName, 0, 100, "Description", "", $sd) | Out-Null

#Get NTFS permissiongs
$Acl = Get-Acl $FolderPath
#Disable inheritance and clear permissions
$Acl.SetAccessRuleProtection($True, $False)
#Define NTFS rights
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('SYSTEM','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users",@("ReadData", "AppendData", "Synchronize"), "None", "None", "Allow")
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('CREATOR OWNER','FullControl','ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
$Acl.AddAccessRule($rule)

#Save ACL changes (NTFS permissions)
Set-Acl $FolderPath $Acl | Out-Null
#Show ACL so user can verify changes
Get-Acl $FolderPath  | Format-List
Frode F.
  • 52,376
  • 9
  • 98
  • 114
  • Forgot share permission. Added now – Frode F. Dec 02 '13 at 18:06
  • Graimer, thank you kindly for your super fast answer to my question. The script commands you provided work spot on for the NTFS which I was finding it extremely tricky to figure out. When I run the script I get a error on **$sd.DACL = $ace, $ace2** (Exception setting "DACL": "Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.Manage ment.ManagementBaseObject'." When I check the share permissions the one of the group appears as Account Unknown(S-1-5-5-0-290585), I believe this is the Authenticated USers. Any ideas? Otherwise your answer is spot on. Thanks!! – Manoj Mnoj Dec 02 '13 at 18:50
  • I forgot to ask, is there a way to set caching setting on the folder to "No file or programs from the share folder are available offline" – Manoj Mnoj Dec 02 '13 at 18:55
  • I changed it to **$sd.DACL = $ace.psObject.baseobject, $ace2.psObject.baseobject** and it now appears to work perfectly by setting the Read and Change for Authenticated Users Group. I have no idea why it works - I found another example and applied it, call it improvisation! – Manoj Mnoj Dec 02 '13 at 19:20
  • I spoke too early!. By using the above the NTFS permissions don't apply as intended. Not sure what needs to be done with $sd.DACL = $ace, $ace2 (Exception setting "DACL": "Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.Manage ment.ManagementBaseObject'." to fix the issue with setting correct permissions for Authenticated Users on the share. – Manoj Mnoj Dec 02 '13 at 19:35
  • In order to disable files caching on a shared folder use **net share /cache:none** It works! – Manoj Mnoj Dec 02 '13 at 20:02
  • The script above works for me, but if you're "administrators" is ex. a domain group, you need to specify the `Domain` property of the `$trustee2` object. The DACL property has nothing to do with NTFS permissions. See the updated answer for how to use the `domain` property with local admin group – Frode F. Dec 03 '13 at 19:34
  • Updated With comments. Run as administrator (With local admin rights to create folder and share, and domain if using domain accounts/Groups). – Frode F. Aug 10 '15 at 08:40