Set Folder Permissions using a PowerShell script
A common Admin task is Setting permissions on folders for new Users or Groups. doing this manually can be pretty boring and timeconsuming. This script automates these steps through PowerShell.
The parameters that I’ve added to the script are:- -Path Folder to Create (Required)
- -User User who should have access (Required)
- -Permission Specify Permission for User, Default set to Modify (Optional)
- -help Prints the HelpFile (Optional)
The script sets the folderpermissions for a User or a group on a folder and if the folder doesn’t exist, it creates the folder and adds the specified permissions.
Running the Script on one folder gives the user or group permissions on the folder and on child folders. If you run the script recurse, it will break the inheritance for the specified User/Group and set the permissions specified on each folder. Here are 2 examples on running the script.
./SetFolderPermission.ps1 -path C:\User -Access APA\MyGroup -Permission Write
Get-ChildItem -path C:\User -recurse |
Where { $_.Attributes -match "d"} |
ForEach {
./SetFolderPermission.ps1 -path $_.Fullname -Access APA\MyGroup -Permission Read
}
If you want to display the HelpText simply type:
./SetFolderPermission.ps1 -helpHere’s a link to the script
[?]
nice script it does not appear to be able to st permissions on files though (only folders)
Hi Todd.
Yes, the script only sets permissions on folder level, if there are files within the folder they should inherit the permissions from the folder.
Niklas,
Very nice script. Do you know if there is a way to modify the script to set a maximum security level? For example, if I have a user with FullControl, and I want to modify the user’s permissions to (only) ReadandExecute.
Please disregard my last post. I see that your script already does this. I was attempting to modify the permissions for the users group. But, since the users group is actually ‘BUILTIN\Users’, the $_.IdentityReference was never equal to $Access. So, it was jumping to $GetACL.AddAccessRule($AccessRule). Once I figued this out, it works like a charm. Thanks for the great script!
I’m glad you liked it!
I found a great post on Copying ACL:s written by Jeffrey Snover.
It’s worth a look.
http://blogs.msdn.com/powershell/archive/2009/05/11/copy-acl.aspx
Regards Niklas
Niklas,
I just started working with PowerShell …. I can’t believe i waited this long and kept doing things with VBScript! anyway ….. I tested your script and works nicely, good job.
I have several questions:
a) If i wanted to run the script remotely to create individual folders based on a user’s list the script is reading (I extracted it from AD) to create individual user folders within an existing or non-existing share on a remote server, what would it be the best way? in the past using VBScript this what I have done:
Option Explicit
Dim intRow, objExcel, objSheet, strPathExcel
Dim strHomeFolder, strHome, strUser
Dim objFSO, objShell, intRunError
strHome = “\\ServerName\ShareName\”
strPathExcel = “C:\ExcelFile.xlsx”
intRow = 3 ‘ Row 1 contains headings
‘ Open the Excel spreadsheet
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objExcel = CreateObject(“Excel.Application”)
Set objSheet = objExcel.Workbooks.Open(strPathExcel)
‘ Create a shell for cmd and CACLS
Set objShell = CreateObject(“Wscript.Shell”)
‘ Here is the loop that cycles through the cells
Do Until (objExcel.Cells(intRow,1).Value) = “”
strUser = objExcel.Cells(intRow, 1).Value
Call HomeDir ‘ I decided to use a subroutine
intRow = intRow + 1
Loop
objExcel.Quit ‘ Clears up Excel
Sub HomeDir()
strHomeFolder = strHome & strUser
If strHomeFolder “” Then
If Not objFSO.FolderExists(strHomeFolder) Then
On Error Resume Next
objFSO.CreateFolder strHomeFolder
If Err.Number 0 Then
On Error GoTo 0
Wscript.Echo “Cannot create: ” & strHomeFolder
End If
On Error GoTo 0
End If
If objFSO.FolderExists(strHomeFolder) Then
‘ Assign user permission to home folder.
intRunError = objShell.Run(“%COMSPEC% /c Echo Y| cacls “_
& strHomeFolder & ” /e /c /g Administrators:f “_
& strUser & “:F”, 2, True)
If intRunError 0 Then
Wscript.Echo “Error assigning permissions for user ” & strUser & ” to home folder ” &
strHomeFolder
End If
End If
End If
End Sub
objExcel.Quit
WScript.Quit
The previous script works and I do want to emulate the same with your script.
b) is there a better way to do this such as pulling the data directly from AD? using som type of AD query or Wmi calling?
I guess this posting you have in your blog answers my previous question:
http://www.powershell.nu/2009/04/27/part-116-adding-homefolder-through-powershell/
(I found it after I wrote this ….)
Anyway, I am having anissue with your Get-AD.ps1 file …
Sweet simple working one buddy !! Thanks !!
useful script. thank you
Awesome. It works fine for remote computer too.
Hi,
I am new to poweshell scripting, i wanted to set the permissionss of local users/group remotely on some machines.
Just wanted to know whether the remore/target machine requires .net framwork for this script to work.
Thanks…Munib
Nice script thanks. just a quick one…if i wanted to use a CSV file to provide a list of usernames that would then be created by your script how would i go about this?
I can get the script to run just fine on a folder that is off the root, but my issue is, I need to make the change to just one folder that is located in the the Program Files.
I have no control over this application, I just know that I need to give a user permission access to the venders folder.
Any advice on how to make this work?
Thanks,
Great script – but one “typo” that had me in fits until I found it. In your help text, and in your detail text at the top of this page, you list one of your parameters as “-User”. It should read “-Access”. If you run it with the “-User” flag, nothing happens.
Awesomeness. Thank you.
Note that I had to change this:
Where { $_.Attributes -match “d”}
to this:
Where { $_.Attributes -match “Directory”}
because beforehand it was still picking up some files. I did a cursory investigation and I think it was because those files had a Rea*d*only attribute, but that’s only an assumption. Anyway, it works as desired now – thank you very very much.