Assign group permissions on folders using Powershell via CSV

Viewing 4 reply threads
  • Author
    Posts
    • #1091924
      Phil Themel
      Participant
      Member Points: 186
      Rank: 2

      we are working on a new Permission Concept. We created different Security Groups,depending on the Department.

      For example:

      Finance_List, Finance_Read, Finance_ReadWrite
      Controlling_List, Controlling_Read, Controlling_ReadWrite
      Planning_List, Planning_Read, Planning_ReadWrite

      Now I am searching for a script to automate the process for setting GroupPermissions on specific Folders.

      Example:
      Folder Finance:
      Disable Inheritance and then set new permissions and replace them to all files and subfolders:

      Group Finance_List (List Folder), Group Finance_Read (Read), Group Finance_ReadWrite (Modify)

       

      CSV Example (Folderpath and the 3 GroupPermissions per Folder):

      \\cifs\Finance;Finance_List;Finance_Read;Finance_ReadWrite

      I have 300 securitygroups and 100 folders.

      Any help would be much appreciated.

      Thank You!

    • #1091946
      Leos Marek
      Moderator
      Member Points: 23,414
      Author of Year 2020Author of the Year 2021
      Rank: 4

      Hello,

      I know how to add permissions, but struggle a bit on how to remove them using Powershell. Alternative solution is to use xcacls.exe or icacls.exe or subinacl.exe tools.

      Ill check on the removal part a bit later if you dont mind.

      Just a curiosity question – why would you need someone just to list? What is it good for to know whats inside a folder and not be able to read it?

      • #1097416
        Phil Themel
        Participant
        Member Points: 186
        Rank: 2

        isn’t it necessary to give “List” Permission to Users who want to navitate to subfolders?

        Example:

        USER A has permissions to S:\Finance\Budget\MarketingBudget, but nothing else.

        I assumed that if he has no “List” Permission he doesn’t see the “MarketingBudget” Folder because he has no permissions for S:\Finance\Budget.

         

         

        • #1097531
          Leos Marek
          Moderator
          Member Points: 23,414
          Author of Year 2020Author of the Year 2021
          Rank: 4

          I dont understand your sentence about

          USER A has permissions to S:\Finance\Budget\MarketingBudget, but nothing else.

          I assumed that if he has no “List” Permission he doesn’t see the “MarketingBudget” Folder because he has no permissions for S:\Finance\Budget.

          If you grant him permissions only to MarketingBudget he will be able to access the folder with path S:\Finance\Budget\MarketingBudget but he will not be able to go folder higher.

          By default, if you assign only List folder content like this you can then see in Advanced that it only applied to Folders and not Files. That means I can list the folder but cant open any file.

          While if you also add Read + Read&Execute the final result applies also to files so I will be able to read/execute the files.

          For your other question – to setup the permissions you can only install the module on single computer and setup the permissions, its 1 time action.

        • #1098048
          Phil Themel
          Participant
          Member Points: 186
          Rank: 2

          If someone has the network drive S:\ with “WRITE” Permission to S:\Finance\Budget.

          How would he be able to navigate to S:\Finance\Budget without a “LIST” Permission on Finance?

        • #1098269
          Leos Marek
          Moderator
          Member Points: 23,414
          Author of Year 2020Author of the Year 2021
          Rank: 4

          By entering S:\Finance\Budget to the Explorer. You dont need any permissions to the parent folder.

          But if you want the user to be able to click-inside the folders, then they need at least List folder permission, thats correct.

          You may want to check out this post about ACE. It explains the basic concept pretty well.

          avatar
    • #1091963
      Luc Fullenwarth
      Moderator
      Member Points: 16,106
      Rank: 4

      First, please note that you cannot set NTFS permissions on a share (for example \\cifs\Finance). This must be done on a local path.

      Beside that there is a very good module from Raimund Andree and named NTFSSecurity. It will really simplify your code.
      However you need to install it on all your computers where you want to manager permissions.

      Install-Module -Name NTFSSecurity

      Your basic code could look like this:

      $FolderList = @(
          'C:\Folder'
          'D:\AnotherFolder'
      )
      
      Import-Module -Name NTFSSecurity
      
      foreach($Folder in $FolderList){
          
          Disable-NTFSAccessInheritance -Path $Folder -RemoveInheritedAccessRules
      
          Add-NTFSAccess -Path $Folder -Account Finance_List -AccessRights ListDirectory -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
          Add-NTFSAccess -Path $Folder -Account Finance_Read -AccessRights ReadAndExecute -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
          Add-NTFSAccess -Path $Folder -Account Finance_ReadWrite -AccessRights ReadAndExecute,Write -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
      }

      This code is only doing what you asked for.
      But because you remove inheritance, I would advice to add the System account and the Administrators group with Full Permissions too.

      Add-NTFSAccess -Path $Folder -Account 'NT AUTHORITY\SYSTEM' -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
      Add-NTFSAccess -Path $Folder -Account 'BUILTIN\Administrators' -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
      
      • #1097422
        Phil Themel
        Participant
        Member Points: 186
        Rank: 2

        First of all thank you very much for your response!

        Does that mean i need to install the module on all 200 PC’S in our Company network manually?

        Or is it possible to install it on the server side?

        • #1099708
          Luc Fullenwarth
          Moderator
          Member Points: 16,106
          Rank: 4

          @phil

          You can use the NTFSSecurity module remotely and it even works through shares.
          However, it will not resolve local SIDs to account names.

          avatar
      • #1098322
        Phil Themel
        Participant
        Member Points: 186
        Rank: 2

        Currently our Data is stored on a CifsShare on NetAPP.

        Therefore we have no local folder path from Windows Side.

        Or does Windows recognise the shares as local path, if they are mapped through a network drive (eg S:\)?

         

        Or do you know if its possible to set those permission on CifsShares or directly on NetAPP?

         

        • #1098462
          Leos Marek
          Moderator
          Member Points: 23,414
          Author of Year 2020Author of the Year 2021
          Rank: 4

          It doesnt matter if its \\netapp\yourshare\ UNC path or S:\ pointing to \\netapp\yourshare\. The mapped S drive is just to make the share look like a drive for easier navigation. S:\finance\budget is the same like \\netapp\yourshare\finance\budget.

          From NTFS point of view is the same like it would be C:\temp folder.

          Sorry but I dont know Netapp to help you:)

          avatar
        • #1099714
          Luc Fullenwarth
          Moderator
          Member Points: 16,106
          Rank: 4

          @phil

          The NTFSSecurity module may not work with NetApp because it has been developed for Windows Systems.

          However, you can try installing PowerShell Core on the NetApp if you are able to access the operating system with administrative privileges…

          avatar
        • #1099719
          Leos Marek
          Moderator
          Member Points: 23,414
          Author of Year 2020Author of the Year 2021
          Rank: 4

          I havent tried but I would say it does not matter if the share is on netapp or where. If its NTFS filesystem and he has the share mapped as S: drive then this would work I guess

          Add-NTFSAccess -Path "S:\folder"

           

          Easiest way is to try Phil 🙂

          avatar
    • #1091979
      Leos Marek
      Moderator
      Member Points: 23,414
      Author of Year 2020Author of the Year 2021
      Rank: 4

      For SMB share there is  a simple command that will do the job.

      New-SmbShare -Name "MES_DATA" -Path "H:\MES_DATA" -ReadAccess "authenticated users" -FullAccess "administrators" | Out-Null
      

      Another way to achieve the goal is to use GPO. It will take a bit more work to setup, but it is more sustainable, as the GPO is applied periodically while the script is a one time action usually.

      • #1091991
        Luc Fullenwarth
        Moderator
        Member Points: 16,106
        Rank: 4

        @gibon

        Keep in mind that SMB permissions and NTFS permissions are different.
        You have to set both.
        And the command you provided is for new shares.
        To set permissions on existing shares we must use Revoke-SmbShareAccess to remove permissions and Grant-SmbShareAccess to add permissions.
        However, best practices are to keep the following basic permissions on every share:

        • Administrators : Full
        • Everyone : Change

        You can then fine tune NTFS permissions because they are mutually exclusive with SMB permissions.

        For example,  if your group or account has NTFS Read permissions, your global permission will only be Read permissions even if you have SMB Full permissions.

        • #1092001
          Leos Marek
          Moderator
          Member Points: 23,414
          Author of Year 2020Author of the Year 2021
          Rank: 4

          Yes Im of course aware about the fact you need to setup both and how it works :).

          Honestly I never use Everyone. Minimum security best practice is to use Authenticated users.

          avatar
        • #1092013
          Luc Fullenwarth
          Moderator
          Member Points: 16,106
          Rank: 4

          Depending on your environment Authenticated users should work 99% of the time.
          I aggree with you on the principle of least priviledge 🙂
          Good point Leos!

    • #1100600
      Phil Themel
      Participant
      Member Points: 186
      Rank: 2

      I tried it now and…

      EVERYTHING WORKS PERFECT!

      It really does not matter if the share is on netapp or anywhere else. it works.

      Thank you Luc for your Code and Leos for your great Support!

      avatar
Viewing 4 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account