PoshCode Archive  Artifact [6047b727cf]

Artifact 6047b727cfa7a4dab9e6257d320be15c18a6c6966852869270d1e087e64fc4ea:

  • File New-ACE-Function.ps1 — part of check-in [d6b793c0c1] at 2018-06-10 14:03:57 on branch trunk — Function to create ACE objects to simplify making changes to folder permissions. New-ACE function plus a usage example (user: BattleChicken size: 3106)

# encoding: ascii
# api: powershell
# title: New-ACE Function
# description: Function to create ACE objects to simplify making changes to folder permissions.  New-ACE function plus a usage example
# version: 0.1
# type: function
# author: BattleChicken
# license: CC0
# function: New-ACE
# x-poshcode-id: 5913
# x-archived: 2015-07-03T01:44:31
# x-published: 2015-06-29T19:08:00
#
#
function New-ACE{
    [CmdletBinding()]
    param (
      [Parameter(Mandatory=$True)]
      [string[]]$Users,

      [Parameter(Mandatory=$True)]
      [ValidateSet('DeleteSubdirectoriesAndFiles','ReadAttributes','WriteAttributes','Write','Delete','ReadPermissions','Read',
        'ReadAndExecute','Modify','ChangePermissions','TakeOwnership','Synchronize','FullControl')]
      [string[]]$FileSystemRights,

      [Parameter()]
      [ValidateSet('None','ContainerInherit','ObjectInherit')]
      [string[]]$InheretenceFlags=@('ContainerInherit','ObjectInherit'),

      [Parameter()]
      [ValidateSet('None','NoPropagateInherit','InheritOnly')]
      [string]$PropogationFlag='None',

      [Parameter()]
      [ValidateSet('Allow','Deny')]
      [string]$AccessControlType='Allow'
    )
    foreach ($user in $users){
        $colRights = [System.Security.AccessControl.FileSystemRights]$FileSystemRights
        $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$InheretenceFlags
        $PropFlag = [System.Security.AccessControl.PropagationFlags]::$PropogationFlag

        $objType =[System.Security.AccessControl.AccessControlType]::$AccessControlType
        $objUser = New-Object System.Security.Principal.NTAccount($user)
        New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropFlag, $objType)
    }
}



$ACEArr = @()
$folder = "C:\ScriptTemp\testFolder1"

$objACL = Get-Acl $folder
$objACL.Access | % {$objacl.purgeaccessrules($_.IdentityReference)} #Purge Inital Permissions
#$objACL.access | % {$objACL.AddAccessRule($_)} #retain current permissions

#Set user, and build an ACL for each one.

$ACEArr += New-ACE -users "mymachine\TestG1","mymachine\TestG2" -FileSystemRights ReadAndExecute -PropogationFlag NoPropagateInherit
$ACEArr += New-ACE -users "mymachine\TestG3","mymachine\TestG4" -fileSystemRights FullControl -InheretenceFlags ObjectInherit
$ACEArr += New-ACE -users 'NT AUTHORITY\SYSTEM' -fileSystemRights FullControl
$ACEArr += New-ACE -users "ADMINISTRATORS"  -fileSystemRights FullControl

$ACEArr | foreach-object {$objACL.AddAccessRule($_)}
$objACL.SetAccessRuleProtection($true,$false)

Set-ACL $folder $objACL



#$testACL.Access


<# for propogating the validation, should the options ever change (they most likely never will)
[System.Enum]::GetNames('System.Security.AccessControl.FileSystemRights')
[System.Enum]::GetNames('System.Security.AccessControl.InheritanceFlags')
[System.Enum]::GetNames('System.Security.AccessControl.PropagationFlags')
[System.Enum]::GetNames('System.Security.AccessControl.AccessControlType')
#>