How to make new subfolders inherent permissions ( windows server 2008 ) - windows

I have a share with a file structue like so
Public ( no restrictions )
Sales ( only sales people have access )
Production ( Production only has access to this )
I created the permissions, but if someone creates a new folder in there, the permissions on that new folder is not the same as the parrent, Is there a way to force permissions ( or even a script I could run to re-set the permissions nightly )

This can be done through the GUI as a once off - click the Advanced button on the Security tab in the folder properties, and make you've disabled inheritance on your main sub folders, and then check to ensure any custom security settings apply to "this folder, sub folders and files". You may also need to check "replace all child object permissions ..." as well.
From the command prompt, you can use the command "icacls" which is really powerful and is what I tend to use when configuring permissions like this.

as u suggested, I wrote below script. Hope it could help
$folders = Get-ChildItem -Path $share -Directory
foreach ($folder in $folders)
{
$acl = Get-Acl $folder
Get-ChildItem $folder -Recurse | %{Set-Acl -Path $_.FullName -AclObject $acl}
}

Related

apply folder rights to other folders powershell

I need to change a lot of sub folders's ACL rights. The folders all have the same name "06 - Offers". I've found a powershell command to "copy past" the acl rights from one folder to another. I wonder if anybody here can point me in the right direction to automate this?
It would need to search in a defined folder and change all the access rights for a specific folder in each of it's sub folders (if that makes sense).
(Get-Item 'C:\testfolder').GetAccessControl("Access") | Set-Acl -Path 'D:\realfolder'
So for example we have the folders:
D:\project\project1\06offers
D:\project\project2\06offers
d:\project\project3\06offers
etc...
And all the 06offers folders need the exact same ACL rights.
With this you should be able to create a solution which fits for you:
#Get "example" rights
$PathToExampleFolder = "PathToFile"
$MasterACL = (Get-Item $PathToExampleFolder).GetAccessControl("Access")
#Search all folders
$Folders = Get-ChildItem -Path "PathWhereTheFoldersAre" -Recurse -Filter "06offers"
#Set ACL
foreach ($folder in $Folders) {
Set-Acl -Path $folder.Fullname -AclObject $MasterACL
}

How to enable auditing on subfolders and files using powershell

I tried to enable the audit policy on folder using powershell script. But in my case the audit policy is not applied for subfolders and files within the folder which applied the audit policy.
I used the following code:
$TargetFolders = Get-Content C:\Input.txt
$AuditUser = "Everyone"
$AuditRules = "Delete,DeleteSubdirectoriesAndFiles,ChangePermissions,Takeownership"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
foreach ($TargetFolder in $TargetFolders)
{
$ACL = Get-Acl $TargetFolder
$ACL.SetAuditRule($AccessRule)
Write-Host "Processing >",$TargetFolder
$ACL | Set-Acl $TargetFolder
}
Write-Host "Audit Policy applied successfully."
In Advanced security setting prompt prompt it also shows that
“apply onto: ‘this folder,subfolder and files.'”
but audit policy is not applied for the subfolders and files. when i tick on the following tick box.
“Replace all existing inheritable auditing entries on all descendants
with inheritable auditing entries from this object”
then it's applied on subfolders and files within it.
So how can I tick on this programatically (using powershell)?

How to get the Dropbox folder in Powershell in Windows

Same question exists for Python here: How can I get the Dropbox folder location programmatically in Python?, or here for OSX: How to get the location of currently logined Dropbox folder
Same thing in Powershell. I need the path of DropBox to copy files to it (building a software and then copying it to dropbox to share with team).
This Dropbox help page tells us where this info is stored, ie, in a json file in the AppData of the user: https://www.dropbox.com/help/4584
function GetDropBoxPathFromInfoJson
{
$DropboxPath = Get-Content "$ENV:LOCALAPPDATA\Dropbox\info.json" -ErrorAction Stop | ConvertFrom-Json | % 'personal' | % 'path'
return $DropboxPath
}
The line above is taken from: https://www.powershellgallery.com/packages/Spizzi.Profile/1.0.0/Content/Functions%5CProfile%5CInstall-ProfileEnvironment.ps1
Note that it doesn't check if you've got a Dropbox business account, or if you have both. It just uses the personal one.
You can then use this base Dropbox folder to build your final path, for example:
$targetPath = Join-Path -Path (GetDropBoxPathFromInfoJson) -ChildPath 'RootDropboxFolder\Subfolder1\Subfolder2'
if (-not (Test-Path -Path $targetPath)) { throw "Path '$targetPath' not found!" }
--
Alternative way is using the host.db file, as shown on this page:
http://bradinscoe.tumblr.com/post/75819881755/get-dropbox-path-in-powershell
$base64path = gc $env:appdata\Dropbox\host.db | select -index 1 # -index 1 is the 2nd line in the file
$dropboxPath = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($base64path)) # convert from base64 to ascii

How to change specific registry setting for another user in powershell

Goal:
To edit a specific registry key setting for a specific user, and no others, in powershell.
Known:
OS: Windows 8.1 Embedded Industry Pro (Same as Win 8.1, but with some embedded features)
I can do this manually on the target machine by opening REGEDIT, selecting HKU, then click on File Menu, click on Load Hive, navigate to the user's profile directory, e.g: c:\users\MrEd and when prompted, type in 'ntuser.dat' - import HKEY_CURRENT_USER. The Hive will be loaded into HKU where you can navigate and make necessary modifications.
Summary:
I have a powershell script that returns the SID of the specific user, but when used in context of the registry hive, the hive"is not found" -- so I'm guessing I must be missing a step? How does one "Load Hive" from Powershell? Or am I missing a special, magical, goats-entrails-on-keyboard incantation somewhere?
Param(
[string]$user= $null
)
Function GetSIDfromAcctName()
{
Param(
[Parameter(mandatory=$true)]$userName
)
$myacct = Get-WmiObject Win32_UserAccount -filter "Name='$userName'"
return $myacct.sid
}
if($user)
{
$sid = GetSIDfromAcctName $user
New-PSDrive HKU Registry HKEY_USERS
$myHiveEntry = Get-Item "HKU:\${sid}"
Write-Host "Key:[$myHiveEntry]"
}
Your existing code should work for a user whose hive is already loaded (like a currently logged in user), but it makes no attempt to load the hive.
I don't know of a way to make a programmatic call to load a hive, but you can shell out to reg.exe.
This ends up being kind of janky. It seems to have issues unloading the hive if it's in use anywhere, so I've put a bunch of crap in place in this sample to try to get rid of stuff that might be holding it open, but in my tests, it can take quite a while before the reg unload command is successful, hence the whole retry portion in the finally block.
This is super unpolished, I just whipped it up on the spot.
Function GetSIDfromAcctName()
{
Param(
[Parameter(mandatory=$true)]$userName
)
$myacct = Get-WmiObject Win32_UserAccount -filter "Name='$userName'"
return $myacct.sid
}
$user = 'someuser'
$sid = GetSIDfromAcctName -userName $user
$path = Resolve-Path "$env:USERPROFILE\..\$user\NTUSER.DAT"
try {
reg load "HKU\$sid" $path
#New-PSDrive -Name HKUser -PSProvider Registry -Root "HKEY_USERS\$sid"
#Get-ChildItem HKUser:\
Get-ChildItem Registry::\HKEY_USERS\$sid
} finally {
#Remove-PSDrive -Name HKUser
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
$retryCount = 0
$retryLimit = 20
$retryTime = 1 #seconds
reg unload "HKU\$sid" #> $null
while ($LASTEXITCODE -ne 0 -and $retryCount -lt $retryLimit) {
Write-Verbose "Error unloading 'HKU\$sid', waiting and trying again." -Verbose
Start-Sleep -Seconds $retryTime
$retryCount++
reg unload "HKU\$sid"
}
}
This doesn't use a PS drive, but that code is in there too, commented out.
Note that if you don't name the hive mount point with the SID, you won't actually need the SID at all because you use the username to find the NTUSER.DAT file anyway.

Add group "Everyone" to directory and all of it's sub-directories

I'm currently using Vista 32-bit. How do I add the Windows security group "Everyone" and give full control to a directory and all of it's sub-directories and all files? Is there a powershell script that I could use?
Thanks!
I've expanded on martona's snippet and was able to give access to all folders and sub-folders. Here's my code -
$FilesAndFolders = gci "c:\data" -recurse | % {$_.FullName}
foreach($FileAndFolder in $FilesAndFolders)
{
#using get-item instead because some of the folders have '[' or ']' character and Powershell throws exception trying to do a get-acl or set-acl on them.
$item = gi -literalpath $FileAndFolder
$acl = $item.GetAccessControl()
$permission = "Everyone","FullControl","Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($rule)
$item.SetAccessControl($acl)
}
Sometimes the "native" PowerShell way isn't necessarily the best way. For something like this I would still use icacls.exe. Remember that good ol' exes work pretty good in PowerShell. Just cd to the directory you want to set and execute:
icacls $pwd /grant "Everyone":(OI)(CI)F
This will give Everyone full access to the current directory downwards (via permission inheritance). This should work as long as there are no explicit denials to Everyone in the dir structure.
$acl = Get-Acl c:\mydir
$permission = "Everyone","FullControl","Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl c:\mydir

Resources