I am trying to change permissions on a file through Powershell, and am having trouble figuring out how to get this to work.
$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
$acl = Get-Acl $path1
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule("User","Write","ContainerInherit,ObjectInherit","None","Deny")
$acl.SetAccessRule($access_rule)
$acl | Set-Acl $path2
"User" is a specified usergroup, of many users, and is called something different in the actual code. This throws two errors:
Exception calling "SetAccessRule" with "1" argument(s): Some or all identity references could not be translated."
Set-Acl : Some or all identity references could not be translated.
Then, I try to dumb the code down, essentially trying to copy permissions of one file to another:
$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
Get-Acl -Path $path1 | Set-Acl -Path $path2
Even this throws an error:
Set-Acl : Some or all identity references could not be translated.
If I understand these errors correctly, then my "User" is not being properly defined. I try to get the "User" info by running the Get-ADUser cmdlet, but the ActiveDirectory module must not be installed, because I receive this error:
Get-ADUser : The term 'Get-AdUser' is not recognized as the name of a cmdlet,.........
My main question now, is how can I get the user SID information to properly change the permissions on the file? Am I missing a step somewhere? Is there a better way to change file permissions? Can I even try to change permissions for a group? I have hit a wall trying to find a solution, lol.
I have looked at the following sources for help:
link
link
link
link
link
link
link
link
Related
I want to create a new SMB Share for every folder in a directory under windows, have the smb share name be the same as the folder name and set the account "Everyone" with "Full Acess" for the share permission (so not the NTFS permissions)
So for example I have the following folders
Folder1
Folder2
Folder3
And the share names should then be named adequately, so Folder1, Folder2, Folder3
I know how to create a single smb share and set a local user with full access with the following:
New-SmbShare -name "Test" -path "D:\Test" -FullAccess "TestServer\TestAccount"
Where I currently fail is to somehow get all the folder names and create a share accordingly. Also, I don't know how to tell PowerShell the account "Everyone".
EDIT:
When I try it as you mentioned, I get the following error
New-SmbShare: The trust relationship between this workstation and the primary domain failed.
At line:2 char:1
+ New-SmbShare -Name $_.Name -Path $._FullName -FullAccess Everyone
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_SMBShare:ROOT/Microsoft/Windows/SMB/MSFT_SMBShare) [New-SmbShare], CimException
+ FullyQualifiedErrorId : Windows System Error 1789,New-SmbShare
Since I can set the permission for this group manually, I dont know why I here would need access to the domain.
I know that the Well-Known SID "World" or "Everyone" has the String Value S-1-1-0, maybe you have to replace "-FullAccess Everyone" with "FullAccess S-1-1-0"? But that didn't work for me..
Source:
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
EDIT2
OS is in german, so I have to change "Everyone" to the german counterpart (="Jeder")
Use Get-ChildItem -Directory to enumerate all the folders:
Get-ChildItem path\to\root\directory -Directory |ForEach-Object {
New-SmbShare -Name $_.Name -Path $_.FullName -FullAccess Everyone
}
To generate the correct translation of Everyone regardless of OS language, use its well-known SID:
$everyoneSID = [System.Security.Principal.SecurityIdentifier]::new('S-1-1-0')
$everyoneName = $everyoneSID.Translate([System.Security.Principal.NTAccount]).Value
Get-ChildItem path\to\root\directory -Directory |ForEach-Object {
New-SmbShare -Name $_.Name -Path $_.FullName -FullAccess $everyoneName
}
I need to change a lot of sub folders's ACL rights. The folders all have the same name "06 - Offers". I've found a powershell command to "copy past" the acl rights from one folder to another. I wonder if anybody here can point me in the right direction to automate this?
It would need to search in a defined folder and change all the access rights for a specific folder in each of it's sub folders (if that makes sense).
(Get-Item 'C:\testfolder').GetAccessControl("Access") | Set-Acl -Path 'D:\realfolder'
So for example we have the folders:
D:\project\project1\06offers
D:\project\project2\06offers
d:\project\project3\06offers
etc...
And all the 06offers folders need the exact same ACL rights.
With this you should be able to create a solution which fits for you:
#Get "example" rights
$PathToExampleFolder = "PathToFile"
$MasterACL = (Get-Item $PathToExampleFolder).GetAccessControl("Access")
#Search all folders
$Folders = Get-ChildItem -Path "PathWhereTheFoldersAre" -Recurse -Filter "06offers"
#Set ACL
foreach ($folder in $Folders) {
Set-Acl -Path $folder.Fullname -AclObject $MasterACL
}
I have a share with a file structue like so
Public ( no restrictions )
Sales ( only sales people have access )
Production ( Production only has access to this )
I created the permissions, but if someone creates a new folder in there, the permissions on that new folder is not the same as the parrent, Is there a way to force permissions ( or even a script I could run to re-set the permissions nightly )
This can be done through the GUI as a once off - click the Advanced button on the Security tab in the folder properties, and make you've disabled inheritance on your main sub folders, and then check to ensure any custom security settings apply to "this folder, sub folders and files". You may also need to check "replace all child object permissions ..." as well.
From the command prompt, you can use the command "icacls" which is really powerful and is what I tend to use when configuring permissions like this.
as u suggested, I wrote below script. Hope it could help
$folders = Get-ChildItem -Path $share -Directory
foreach ($folder in $folders)
{
$acl = Get-Acl $folder
Get-ChildItem $folder -Recurse | %{Set-Acl -Path $_.FullName -AclObject $acl}
}
I was looking around to understand how to chmod (change permissions of a file) a file on Windows 7 Power Shell. So I have found different (wired for me, because I am used to simple chmod command) code snippets and wondering would't it be simple to wrap that wired commands in a chmod function and write it on in a $profile file of Power Shell. I guess this is what many ex-linux shell, but now power shell users would like to have for changing permissions of a file.
I am new to Power Shell. Please help me with the code.
Here is an example with the native way, using ACL and ACE. You have to build your own functions arround that.
# Get the Access Control List from the file
# Be careful $acl is more a security descriptor with more information than ACL
$acl = Get-Acl "c:\temp\test.txt"
# Show here how to refer to useful enumerate values (see MSDN)
$Right = [System.Security.AccessControl.FileSystemRights]::FullControl
$Control = [System.Security.AccessControl.AccessControlType]::Allow
# Build the Access Control Entry ACE
# Be careful you need to replace "everybody" by the user or group you want to add rights to
$ace = New-Object System.Security.AccessControl.FileSystemAccessRule ("everybody", $Right, $Control)
# Add ACE to ACL
$acl.AddAccessRule($ace)
# Put ACL to the file
Set-Acl "c:\temp\test.txt" $acl
(Get-Acl "c:\temp\test.txt").access
Read-Host "--------- Test Here --------------"
# Remove ACE from ACL
$acl.RemoveAccessRule($ace)
Set-Acl "c:\temp\test.txt" $acl
(Get-Acl "c:\temp\test.txt").access
Look at the following:
Set-Acl - Run Get-Help Set-Acl -Full
attrib.exe - Standard Windows tool for setting file attributes. Not Powershell-specific, but of course still works in Powershell.
icacls.exe - Standard Windows tool for setting ACLs. Not Powershell-specific, but of course still works in Powershell.
Source: http://www.cs.wright.edu/~pmateti/Courses/233/Labs/Scripting/bashVsPowerShellTable.html
Just do a web search for chmod powershell.
I wanted to use WScript.Shell object to secure a registry path , e.g HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Registration\UserProfile.
So the objective is that , create a new permission for 'everyone' , and deny the following: Delete , Create SubKeys etc.
Googled a lot , and didn't get a deal on my specific problem , could anyone give me a hint on this point ? Thanks !
maybe this can help
$acl = Get-Acl "HKLM:\SOFTWARE\Business Objects\Registration\UserProfile"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("mycomp\everyone","FullControl","Allow") # or deny...
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path "HKLM:\SOFTWARE\Business Objects\Registration\UserProfile"
To add or remove an access rule you need to create the rule as an object of type RegistryAccessRule, and then either create or remove the rule from the ACL with the SetAccessRule() or RemoveAccessRule() methods
Just for have another example: Set-ACL on registry key