PowerShell: Set ACL

# setAcl-v0.01.ps1
#
# What this script does:
# 1. Set permissions on a set of "destination folders" toward a "translated principle" (expecting cross-domain user accounts)
#
# Requirements:
# 1. CSV file with these headings:
# a. destinationFolder
# b. translatedPrinciple
# c. permissions

$scriptName=$MyInvocation.MyCommand.Path
$scriptPath=Split-Path -Path $scriptName
$permissionsFile="C:\scripts\setPermissions.csv";
$errorLogPath="$scriptPath\setAcl-processing-errors.txt"

<# Unit Test
$permissionsFile="C:\scripts\setPermissions-scrubbed.csv"

# import and return the data
$Result = Get-Content -Path $permissionsFile | Where {$_ -notmatch "^[,]+$"}
$reverse=$true
if ($Reverse) {
$Result | ForEach-Object {$Header += "$($_.Split(',')[0]),"; $Content += "$($_.Split(',')[1]),"}
$Result = "$Header`n$Content"
}

$Obj = $Result | ConvertFrom-Csv
Write-Output $Obj[0]
Write-Output $result[0]
#>

# Import NTFS Security module
function importNtfsSecurity{
try{
# Include the required NTFSSecurity library from the PowerShell Gallery
if (!(Get-InstalledModule -Name NTFSSecurity -ErrorAction Continue)) {
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module -Name NTFSSecurity -Force
Import-Module NTFSSecurity -Force
}
}
catch{
write-host "NTFS Security module is required and couldn't be imported automatically. Please install it before proceeding."
}
}

function setAclFromCsv{
param(
$permissionsFile,
$errorLogPath
)

# Import the permissions list
Function importPermissionsList{
try{
if(test-path $permissionsFile -eq SilentlyContinue){
$GLOBAL:importFile=Import-Csv -Path $permissionsFile -UseCulture
}else{
write-host "Please set the CSV file location in the Variables section."
}
}
catch{
write-host "Cannot import the file";
break;
}
}

Function setPermissions{
param(
$object,
$identity,
$permissions
)
try{
invoke-expression "Add-NTFSAccess –Path '$object' –Account '$identity' –AccessRights '$permissions' -ErrorAction Stop";
$progressMessage="$permissions for $identity has been set on $object"
Write-Host $progressMessage;
return $false;
}
catch{
$errorMsg = (Get-Date -Format g)+": "+$object+$_.Exception.Message+".. ";
Add-Content $errorLogPath $errorMsg;
write-host "$errorMsg";
#continue;
return $true;
}
}

Function processList{
importNtfsSecurity;
importPermissionsList;
$errorFlag=$False;

foreach ($line in $importFile){
$folder=$line.destinationFolder;
$principle=$line.translatedPrinciple;
$permissions=$line.permissions;
$errorFlag=setPermissions -object $folder -identity $principle -permissions $permissions;
}
if ($errorFlag){write-host "We have encountered some errors and a log has been generated at this location '$errorLogPath'."}
}
processList;
}

# Setting permissions on individual item(s) without outputting a log
Function setAclOnObject{
param(
$object,
$identity,
$permissions,
$scope
)
if (!(get-command Add-NTFSAccess -ea SilentlyContinue)){importNtfsSecurity}
try{
$expression="Add-NTFSAccess –Path '$object' –Account '$identity' –AccessRights '$permissions' -AppliesTo $scope -ErrorAction Stop";
write-host "Verify the expression:`r`n$expression";
pause;
invoke-expression $expression;
$progressMessage="$permissions for $identity has been set on $object"
Write-Host $progressMessage;
}
catch{
$errorMsg = (Get-Date -Format g)+": "+$object+$_.Exception.Message+".. ";
write-host "$errorMsg";
}
}

# Test with input from a CSV file
write-host "Run one of these commands:";
write-host "setAclFromCsv -permissionsFile $permissionsFile -errorLogPath $errorLogPath";

<#
# Test with setting permissions on a single directory
$object="C:\temp";
$permissions="Traverse,ListDirectory"; # This is the base requirements for allowing users the ability to traverse directories
$identity="$($env:USERDNSDOMAIN)\Domain Users";
$scope="ThisFolderAndSubfolders"
write-host "setAclOnObject -object '$object' -identity '$identity' -permissions '$permissions'" -scope $scope;
#>

# Expected output
# Traverse,ListDirectory for INTRANET.KIMCONNECT.COM\Domain Users has been set on C:\Scripts

Leave a Reply

Your email address will not be published. Required fields are marked *