PoshCode Archive  Artifact [fb4042f795]

Artifact fb4042f795352fe195ed8bc9c250c16d854b7e6b4374fbb5380a2dda0267033f:

  • File New-ACE-Function.ps1 — part of check-in [b2e02e993d] at 2018-06-10 14:21:16 on branch trunk — Function to simplify the creation of ACEs, along with a simple usage example. (user: BattleChicken size: 3136)

# encoding: ascii
# api: powershell
# title: New-ACE Function
# description: Function to simplify the creation of ACEs, along with a simple usage example.
# version: 0.1
# type: function
# author: BattleChicken
# license: CC0
# function: New-ACE
# x-poshcode-id: 6817
# x-archived: 2017-05-30T18:56:10
# x-published: 2017-03-23T17:54:00
#
#
function New-ACE{
    [CmdletBinding()]
    param (
      [Parameter(Mandatory=$True)]
      [string[]]$Users,

      [Parameter(Mandatory=$True)]
      [ValidateSet('DeleteSubdirectoriesAndFiles','ReadAttributes','WriteAttributes','Write','Delete','ReadPermissions','Read',
        'ReadAndExecute','Modify','ChangePermissions','TakeOwnership','Synchronize','FullControl')]
      [string[]]$FileSystemRights,
  
      [Parameter()]
      [ValidateSet('None','ContainerInherit','ObjectInherit')]
      [string[]]$InheretenceFlags=@('ContainerInherit','ObjectInherit'),

      [Parameter()]
      [ValidateSet('None','NoPropagateInherit','InheritOnly')]
      [string]$PropogationFlag='None',

      [Parameter()]
      [ValidateSet('Allow','Deny')]
      [string]$AccessControlType='Allow'
    )
    foreach ($user in $users){
        $colRights = [System.Security.AccessControl.FileSystemRights]$FileSystemRights
        $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$InheretenceFlags
        $PropFlag = [System.Security.AccessControl.PropagationFlags]::$PropogationFlag

        $objType =[System.Security.AccessControl.AccessControlType]::$AccessControlType
        $objUser = New-Object System.Security.Principal.NTAccount($user)
        New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropFlag, $objType)
    }
}



$ACEArr = @()
$folder = "C:\ScriptTemp\testFolder1\subfolder"
#$testGroups = (Get-LocalGroups).tolower() | where {$_.startswith("test")}

$objACL = Get-Acl $folder
$objACL.Access | % {$objacl.purgeaccessrules($_.IdentityReference)} #Purge Inital Permissions
#$objACL.access | % {$objACL.AddAccessRule($_)} #retain current permissions

#Set user, and build an ACL for each one.

$ACEArr += New-ACE -user "L06557\TestG1","L06557\TestG2" -FileSystemRights ReadAndExecute -PropogationFlag NoPropagateInherit
$ACEArr += New-ACE -user "L06557\TestG3","L06557\TestG4" -fileSystemRights FullControl
$ACEArr += New-ACE -user 'NT AUTHORITY\SYSTEM' -fileSystemRights FullControl
$ACEArr += New-ACE -user "ADMINISTRATORS" -fileSystemRights FullControl -InheretenceFlags ObjectInherit
 
$ACEArr | foreach-object {$objACL.AddAccessRule($_)}
$objACL.SetAccessRuleProtection($true,$false)

Set-ACL $folder $objACL



#$testACL.Access


<# for propogating the validation, should the options ever change (they most likely never will)
[System.Enum]::GetNames('System.Security.AccessControl.FileSystemRights')
[System.Enum]::GetNames('System.Security.AccessControl.InheritanceFlags')
[System.Enum]::GetNames('System.Security.AccessControl.PropagationFlags')
[System.Enum]::GetNames('System.Security.AccessControl.AccessControlType')
#>