The PowerShell script discussed in this post allows you to create a new folder, remove the inherited permissions, and set new permissions for a new Active Directory group.

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator for IT Authority. He has been a Microsoft MVP for seven years and has worked as a technical reviewer for Microsoft Press. You can follow Robert in his blog.

Creating a new folder is an easy task to accomplish: either right-click in the parent folder or use the “New Folder” button in the Explorer ribbon.

This is all well and good, but this folder then inherits the permissions of the parent folder. On your desktop or in your documents folder, this is perfectly fine. However, what if you are creating this folder in a network share? What if the folder requires specific permissions?

I once managed an environment in which a parent folder required specific permissions when a new “contract” was brought on board. It also needed to have six sub-folders, all with unique permissions, with groups named for the contract as well as for role-based groups across the organization.

This process was labor intensive, required extensive documentation, and was prone to human error.

I managed to automate the process of creating the folder structure, groups, and permissions so that—instead of it taking someone 45 minutes and getting it wrong—it took 10 seconds and was perfect every time.

In the following example, we will demonstrate adding a new folder to an existing shared folder, removing inherited permissions, creating two new AD Groups, and setting the Access Control List.

First we need to import the ActiveDirectory Module and define the parent folder path. The parent folder can be either a local folder or one defined via a UNC path.

At this point, we have created a simple PowerShell script to define the name of our new folder and confirm what we have entered.

Folder created

Folder created

Assuming that we have confirmed the folder name (“Y”), we can create the folder and groups.

In organizations I manage, I like to name the AD Groups based on the NTFS Path. For example, a group giving access to finance in the “shared” share would be named “Shared.Finance,” then appended with an “R” for read only or “RW” for read/write (modify). I wish I could claim that as my idea, but it came from another engineer with whom I worked. I have employed it everywhere else I have worked.

We can flesh out our PowerShell code with comments and or with “Output” commands. I like to use Output even if the resulting script will be run by a scheduler. If it is ever run interactively, it gives you a good progress indicator. I also have an OU just for storing these groups, so you can also add that into the New-ADGroup command, if you wish.

Inside our “Else” block, we can add the following:

Next we can add the folder itself and remove inherited permissions:

If we run our code now, a new folder will be created, and inherited permissions will be converted into explicit permissions for the folder. The two AD groups will also be created. You will need to ensure that you are using an elevated PowerShell session to create the groups.

As you can see from the ACL, inheritance has been removed.

Setting folder permissions

Setting folder permissions

In the next section, we will create some new ACL rules and remove some entries from the ACL.

This TechNet page is a very useful resource for information regarding security descriptors.

An ACL rule is split into five arguments:

  • Rights
  • Inheritance
  • Propagation
  • User
  • Type

Rights allow you to control the type of access to a resource. Most commonly it will be set to “ReadAndExecute” or “Modify,” but there is a full list of access types available, matching anything you can set in the GUI.

Inheritance can be set to apply only to a folder or to all sub-folders and files. Propagation works similarly.

User is the security principal for whom we are creating the rule; it could be a group or a user.

Type is set to allow or deny access.

These five items should be defined like this:

Using these seven examples, we can build an ACL rule entry:

It is also then easy to add additional rules by varying the rule entries:

To actually enter these rules into the ACL, we first need to collect the current ACL of the folder, using Get-ACL:

Then we can add a rule:

To save that change, we use “Set-ACL,” defining the path to the folder and the ACL to apply:

Earlier I mentioned removing unwanted permissions. To do that, we need to create an ACL rule entry for the group or user we want to remove:

Then, using the same procedure above, we remove all entries for that security descriptor:

I have to remove the domain users from my test folder and replace them with my group-based permissions:

I measured the start and stop time of the code to time the process. It took 6 seconds to execute, which includes the time it took me to type the folder name and confirm it.

This is a very basic example of how you can create and secure a folder using PowerShell. As I explained in the introduction, I was able to use this method to consistently and quickly create many nested folders, all with different security settings.

This is the entire script:

Join the 4sysops PowerShell group!

12+

Users who have LIKED this post:

  • avatar
  • avatar
Share

Related Posts

34 Comments
  1. Mike 2 years ago

    Hi,

    This is very close to what I have been trying to achieve. The difference being that I need to set $path to be a variable, possibly using Get-ChildItem, and then create a new folder in each. I will then disable inheritance and remove a specific security group from the ACL with icacls.

    Do you have any advice on how I might set the path to be a variable? Essentially I need to create a new folder in:

    D:\Data\variable\test\

    Any help you can offer would be greatly appreciated, and thank you for the post in the first place.

    Mike

    2+

  2. Author
    Robert Pearman 2 years ago

    Hi Mike,
    You could probably do this by creating some Param options.
    Assuming the script above, with no changes we can change lines 1-4 to:
    param(
    [string]$rootPath,
    [string]$path
    )
    Import-Module ActiveDirectory
    $newFolder = $rootPath + "\" + $path

    This would allow you to run .\new-folder.ps1 -rootPath "d:\data" -path "New Folder"
    If you then need to create a predefined set of folders under $path you can define those in an array for example, on line 13 (assuming no changes to the above)
    else
    {
    $newSubFolders = @(
    "Test",
    "Test1",
    "Test2"
    )

    Then,
    foreach ($subfolder in $newSubFolders)
    {
    $newFolderFull = $newFolder + "\" + $subfolder
    }

    Hope that helps.

    2+

    • Mike 2 years ago

      Thanks for the reply, I may be misunderstanding this (I am no powershell expert after all!) but would that not create the new folder at the "d:\data" level?

      1+

  3. Author
    Robert Pearman 2 years ago

    In this example (which i edited quite quickly so i may have missed out something)

    It would create d:\data\New Folder then the subfolders "Test", "Test 1" and "Test 2".

    You can amend the rootPath though, so you couldd say

    .\new-folder.ps1 -rootPath "d:\data\Test1" -path "New Folder"

    If that makes sense?

    Is that more like what you want?

    1+

  4. Mike 2 years ago

    It does thank you, not quite what I am trying to do though. I have the following structure:

    d:\data\folder\folder

    d:\data\folder1\folder

    d:\data\folder2\folder

    And need to create a new folder in each, the new folder will have the same name so:

    d:\data\folder\folder\newfolder

    d:\data\folder1\folder\newfolder

    d:\data\folder2\folder\newfolder

    Thanks for your help, it is very much appreciated!

    1+

  5. Mike 2 years ago

    OK great, I will give that a go, once folders are created I can then just include icacls to remove inheritance and remove a security group that would have been inherited.

    Thanks very much for your help.

    1+

  6. Thomas Paine 2 years ago

    Hi Robert.

    Thank you for the script. This is exactly what I am looking for, sadly it doesn't quite run.

    I'm not sure if I'm missing a step somewhere. The 'entire script' looks like it is missing some steps from it. I thought I added them in properly, but I am getting an error running my script.

    Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
    At line:39 char:1
    + $objACL.AddAccessRule($accessControlEntryRW)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

    Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
    At line:40 char:1
    + $objACL.AddAccessRule($accessControlEntryR)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

     

    1+

    • Author
      Robert Pearman 2 years ago

      You're right, the 'entire script' section has a section missing. I will update that now. Thanks for spotting that!

      1+

  7. Thomas Paine 2 years ago

    Thanks for the reply, Robert.

    I think I had my script similar to the entire script.

    I don't understand what changes to make to remove all of the permissions from the new folder that were getting explicitly set ones so that I am just left with:

    Domain Admins : Full
    Folder.RW: RW
    Folder.R: R.

    My folder seems to pick up a ton of inherited permissions which are then left on it and the new perms being added. Can I just strip everything off and apply those three easily? I'm too new to powershell to have this clear yet.

    2+

    • Author
      Robert Pearman 2 years ago

      icacls $newFolderFull /inheritence:d
      is the command to remove inherited permissions from the folder.

      1+

  8. Silambu 2 years ago

    Hi Robert,

    I have one query. My query is i want to create one shared folder and i am the owner of this folder. One more thing is server administrator also denied access for this folder. if i want to share to some one need to do my self only. So is it possible to create in file server with active directory.

    Thanks

     

    1+

  9. Silambarasan 2 years ago

    Hi Robert,

    Is it possible to create a script for creating shared folder as only the owner have full rights and no one can access, if any other user want access then owner only give the access even server administrator also restricted for this shared folder based on active directory.

    If it is possible means how to do this?

    Thanks

     

    1+

    • Author
      Robert Pearman 2 years ago

      Yes it is possible to do that, with the caveat that the account running the script would also be required to have access to edit the ACL.

      1+

  10. Steve Rock 2 years ago

    Thanks for the script!   I had to add a sleep delay of 20 seconds (Start-Sleep -s 20) before the newly created AD objects could be used to set folder ACLs.  In large domains (or domains that are filled with junk leftover from Netware days), you may need to add a delay before using these commands:
    $objACL.AddAccessRule($accessControlEntryRW)
    $objACL.AddAccessRule($accessControlEntryR)

    Or you could get an error like this:

    Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
    At C:\a\foldertest.ps1:40 char:22
    + $objACL.AddAccessRule <<<< ($accessControlEntryRW)
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

    1+

  11. Author
    Robert Pearman 2 years ago

    Good Point, i have to do similar in a large organisation i manage.

    1+

  12. Thomas Paine 2 years ago

    Thanks, Steve.

    I was getting that error and didn't know why.

    I put in the sleep and that fixed it right up.

    1+

  13. Terry Bennett 2 years ago

    Hey Guys,

    This is a great script so far.  I am very new to Powershell, so, some very basic questions here.

    Is it possible to check for the existing of the new folder that the user enters before continuing, and if so, then tell them it exists and reprompt?

    Thanks in advance

    Terry

     

    1+

  14. Jason 2 years ago

    can this script be modified to add users to the AD groups?

    1+

  15. Joseph Johnson 2 years ago

    Hi Robert,

    I can follow most of your script but I don't understand where I would replace your users and/or groups with mine. Or even the names of your groups and users.

    My script adds users to our AD. Their profile can go to the default location but I need to create and change permissions on a folder for them to save their work (primarily docs).
    These are people whom the supervisors need full access to their folders and documents for training purposes.

    I am willing to read theory though my boss is more pragmatic.
    I got the first part of your script to work, creating folders.
    Can you explain where I would add "userA" (the trainee) and "group1" (the supervisors) to the script to let them have read\write permissions?

    Thanks in advance,
    Joe

    2+

  16. Josh 1 year ago

    I have the script working fine to create the new folders and set the permissions that I need.

    My issue is that when the users browse to the network share they can see the folders are created but cannot access them. The message says that they do not have permissions and need to contact the network administrator.

    When I go in to check the permissions on the server the file sharing permissions (In the Sharing tab and then click on "Share...") only list myself with the ability to read/write. If I add the group I created to the file sharing permissions everything then works fine. I can't seem to find anything I'm missing or any additional scripting to fix this. Does anyone know what I may be missing?

    Thanks,

    Josh

    1+

    • Author
      Robert Pearman 1 year ago

      Hi Josh,

      It sounds like you are expecting this script to share the folder as well as create it.

      This script just creates a new folder, within an existing Share. If you need to then share that new folder as well - we would need to add in some additional steps.

      1+

  17. Thomas Paine 1 year ago

    Hi Josh.

    Add in the sleep that is in a post a few posts up.

    I was having a similar issue, and had to add a 20 second sleep to get AD to sync properly and then the correct permissions were applied.

    1+

  18. Gomzy 1 year ago

    Hello,

    THis script assumes we are creating new AD groups. What if I want use existing AD groups. How can we define that? Can you please help?

    John

    1+

    • Author
      Robert Pearman 1 year ago

      Lines 14 & 15 define the security principals to add.

      You could do a number of things to change this to existing groups.

      Enter the existing Group Names, and then remove the 'Add-ADGroup' commands might be easiest.

      You could change those to Read-Host and type in the group names yourself.

      1+

  19. Ben Joyner 1 year ago

    Hello Robert,  This seems very close to what I am trying to script.  I come from a Linux background so powershell scripting is familiar enough that I keep making mistakes and messing things up lol.  I am trying to write a script what creates a group locals on the server  and adds 1 or more users into it. then creates a folder and removes all users except the admin users from it, then adds the new group with specific permissions.  When I run the script I will be running it from an automation server and substituting out variables for the usernames, group names, and directory to be created.  Would it be possible to modify your script to do this.  Additionally it needs to be done without a prompt, as I see your script has a y/n prompt.

    1+

  20. Author
    Robert Pearman 1 year ago

    When you say a Group Locals, do you mean a group that just exists on one server rather than a domain?

    This is possible but using different commands that i have demonstrated here.

    New-LocalGroup https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localgroup?view=powershell-5.1 alternativeley you can use the 'net' commands https://ss64.com/nt/net-useradmin.html

    Essentially the same process, but what i would say is that once you remove the permissions from a folder, you may find the account running the script is locked out as well. So just bear that in mind. The script above does include a Y/N prompt but it should be easy enough to remove that as well.

    Just remove lines, 7-12 and 42.

     

    3+

    Users who have LIKED this comment:

    • avatar
    • Ben Joyner 1 year ago

      I think I worked out most of the kinks for my situation and its working with a few exceptions. The local users group is added to the permission scheme.  I don't want the local users to have access, is there a way to replace local users with domain admins?

      1+

  21. Ben Joyner 1 year ago

    Hi sorry, Yes i did mean a local group.  The process I am looking to automate would need to be:

    Create local group with $GROUPNAME

    add domain users $USER1 $USER2 USER3 ect to that group

    Create folder at $DIRECTORYPATH

    Set permissions on the $DIRECTORY to include Domain Admin, Local Admin, Owner, and $GROUPNAME but nobody else

    I need to be able to substitute variables for 1 or more users to add to the group as well as the groupname and the directory to be created.

    1+

    • Since PowerShell 5.1 you can use the Add-LocalGroupMember cmdlet to add local or domain users to a local group. You can find more info here.

      1+

  22. Author
    Robert Pearman 1 year ago

    Its possible to do of course, i think using parameters is the way to go, but, might be a little outside the scope of the comments section.

    To create your group,

    To add the users, using /domain searches the DC rather than local users.

    You can use an array to store each username, then 'foreach' on each user in the array to add them to the group.

    2+

    Users who have LIKED this comment:

    • avatar
  23. Suprith Karnad 1 year ago

    Hi,

    I need to remove the write access on users personal folder and just keep the read access on it. How can this be achieved.

    1+

  24. Steve 11 months ago

    Your script is great, thank you for this. I would like to use this script to create some Job folders with specific permissions, and this part is working well. I would like to also have it create one subfolder each time called 'Revisions', with separate permissions.

    Basically, when we run the script it will prompt for the job folder name, we set the groups so that this is locked down so that only the Managers can write to it and everyone else can read. We then would like a folder called Revisions to be created, but allow a specific group write access to this folder.

    I have been playing with some of the snippets from above, but cannot seem to get this to work properly.

    Thank you for any advice.
    Steve

    Any pointers?

    1+

  25. Robert Van Dyke 2 months ago

    Hi Robert,

    I love the idea of the script and would like to configure this to work in our environement though I would like to modify it a bit.  I'm not very strong in Powershell but think your script could easily be tweaked to work how I imagine.

    In our environment users see only folders that they are given access to , so across our "G" drive users may only see Department 1 and Department 3, even though we have Department's 1-100.  This is accomplished by using parent traversal groups.

    For example department 1 would have 3 folders listed underneath: Everyone, Admin, and Scanned Docs.  The top level root group "p_department1" is assigned to the root folder department1, with only read access to "this folder only".  We then have 5 other security groups department1adminRW, department1adminRF, department1everyoneRW, department1everyoneRF, and department1scanneddocsRW which are all then members of p_department1.

    Users are only ever added at the second level which would then give them rights to see that first level folder, and the groups are set up in a way that only subfolders and bellow the second level can be edited, so "everyone" or "admin" can never be mistakenly deleted.

    Can you or someone else help me with some of the code required to accomplish this task.  When I get verified I can start a forum post but my boss has asked me to have this finished in the next 2 weeks, with no extensive powershell knowledge before hand.  We've been accomplishing this through the Windows GUI and ADUC but have found that everyone is prone to errors and the amount of cleanup we already need is extensive, so something that could be done correctly 100% of the time would be great.

    Thanks for any and all insight.

     

    0

    • Author
      Robert Pearman 2 months ago

      The most important concept to get your head around for your task, is the creation and modification of ACL rules with PowerShell.

      Per the above examples, this rule removes all ACL entries and Adds 3 new ones.

      $accessControlEntryDefault = New-Object System.Security.AccessControl.FileSystemAccessRule @("Domain Users", $readOnly, $inheritanceFlag, $propagationFlag, $type)
      $accessControlEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($userRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
      $accessControlEntryR = New-Object System.Security.AccessControl.FileSystemAccessRule @($userR, $readOnly, $inheritanceFlag, $propagationFlag, $type)
      $objACL = Get-ACL $newFolderFull
      $objACL.RemoveAccessRuleAll($accessControlEntryDefault)
      $objACL.AddAccessRule($accessControlEntryRW)
      $objACL.AddAccessRule($accessControlEntryR)
      Set-ACL $newFolderFull $objACL

      To accomplish your task, which it sounds to me is a perfict fit for the script should be straight forward.

      I would begin by creating a script that creates a folder, removes inheritence, and sets an ACL entry.

      You can do that on pretty much any platform of Windows.

      Once you have the basic concept down, you can add additional ACL rules.

      Once you are happy the rules are applied correctly, ie the right groups get the right permissions, add in a sub folder and try to amend those permissions.

      I will also send you an email with an example.

      1+

      Users who have LIKED this comment:

      • avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2019

Log in with your credentials

or    

Forgot your details?

Create Account