0

We have a shared drive that was very poorly managed for years. Full Control was given to users that had no reason to have full permissions. Naturally, they removed the administrators because "they don't need to see my things."

In an effort to reclaim control over everything on my network, I attempted to create a Powershell script that will do two things:

  1. Recersively Take Ownership of every folder and file
  2. Add my default Admin group and give it Full Control

Step 1 works like a charm, but step 2 only gets me halfway there. My script successfully adds the Admin group, but it gives NO permissions.

Pardon how crude the script is, it's a bit of a Frankenstein's Monster as I copy-pasted a few different scripts I found online to get this far.

function Recurse-Folder($folderPath, $identity){

 Get-ChildItem $folderPath -Recurse |

 Foreach-Object {
  Take-Ownership $_.FullName $identity 
  }
}


function Take-Ownership($object, $identity) {

 # Give ownership of object to default admin group
 takeown.exe /A /F $object


 # Create new ACL
 $acl = Get-Acl -Path $object
 
 # Set properties
 # $identity = "BUILTIN\Administrators"
 $fileSystemRights= "FullControl"
 $inheritanceFlags = "None"
 $propagationFlags = "None"
 $type = "Allow"
 
 # Create new rule
 $ruleArgs = $identity, $fileSystemRights, $inheritanceFlags, $propagationFlags, $type
 $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($ruleArgs)
 
 # Apply new rule
 $acl.SetAccessRule($rule)

 (Get-Item $object).SetAccessControl($acl)


}


$Path = '\\ShareServer1\Share\'
$identity = 'BUILTIN\Administrators'
# $identity = 'NetAdmin'

Take-OwnerShip $Path $identity
Recurse-Folder $Path $identity


Write-Host
Write-Host Done...
Read-Host
James Husted
  • 1
  • 3

1 Answers1

1

$inheritanceFlags = "None"; $propagationFlags = "None" - This means you add permissions only to $object itself, without files and folders inside. This results this (I used$identity = 'Everyone' for this): Permissions to object itself

I recommend you to manually set required ACL through GUI and then using (Get-Acl -Path '\\x\share\TestFolder').Access | ? {-not $_.IsInherited} look up for correct Inheritance\Propagation combo.

To Enable inheritance on subfolders or files, you can use $acl.SetAccessRuleProtection($false,$true) and $acl.SetAuditRuleProtection($false,$true). Read the docs.

filimonic
  • 3,988
  • 2
  • 19
  • 26
  • Thanks for the response! My Take-Ownership function recurses through every folder/file as an object, which is why I only focus on adding permissions to the current object. Everything takes a turn as the current object. I left the inheritance and propagation flags alone because I don't want to change any existing inheritance properties. – James Husted Mar 05 '21 at 11:57