I was looking around to understand how to chmod (change permissions of a file) a file on Windows 7 Power Shell. So I have found different (wired for me, because I am used to simple chmod command) code snippets and wondering would't it be simple to wrap that wired commands in a chmod function and write it on in a $profile file of Power Shell. I guess this is what many ex-linux shell, but now power shell users would like to have for changing permissions of a file.
I am new to Power Shell. Please help me with the code.
Here is an example with the native way, using ACL and ACE. You have to build your own functions arround that.
# Get the Access Control List from the file
# Be careful $acl is more a security descriptor with more information than ACL
$acl = Get-Acl "c:\temp\test.txt"
# Show here how to refer to useful enumerate values (see MSDN)
$Right = [System.Security.AccessControl.FileSystemRights]::FullControl
$Control = [System.Security.AccessControl.AccessControlType]::Allow
# Build the Access Control Entry ACE
# Be careful you need to replace "everybody" by the user or group you want to add rights to
$ace = New-Object System.Security.AccessControl.FileSystemAccessRule ("everybody", $Right, $Control)
# Add ACE to ACL
$acl.AddAccessRule($ace)
# Put ACL to the file
Set-Acl "c:\temp\test.txt" $acl
(Get-Acl "c:\temp\test.txt").access
Read-Host "--------- Test Here --------------"
# Remove ACE from ACL
$acl.RemoveAccessRule($ace)
Set-Acl "c:\temp\test.txt" $acl
(Get-Acl "c:\temp\test.txt").access
Look at the following:
Set-Acl - Run Get-Help Set-Acl -Full
attrib.exe - Standard Windows tool for setting file attributes. Not Powershell-specific, but of course still works in Powershell.
icacls.exe - Standard Windows tool for setting ACLs. Not Powershell-specific, but of course still works in Powershell.
Source: http://www.cs.wright.edu/~pmateti/Courses/233/Labs/Scripting/bashVsPowerShellTable.html
Just do a web search for chmod powershell.
Related
I am trying to change permissions on a file through Powershell, and am having trouble figuring out how to get this to work.
$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
$acl = Get-Acl $path1
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule("User","Write","ContainerInherit,ObjectInherit","None","Deny")
$acl.SetAccessRule($access_rule)
$acl | Set-Acl $path2
"User" is a specified usergroup, of many users, and is called something different in the actual code. This throws two errors:
Exception calling "SetAccessRule" with "1" argument(s): Some or all identity references could not be translated."
Set-Acl : Some or all identity references could not be translated.
Then, I try to dumb the code down, essentially trying to copy permissions of one file to another:
$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
Get-Acl -Path $path1 | Set-Acl -Path $path2
Even this throws an error:
Set-Acl : Some or all identity references could not be translated.
If I understand these errors correctly, then my "User" is not being properly defined. I try to get the "User" info by running the Get-ADUser cmdlet, but the ActiveDirectory module must not be installed, because I receive this error:
Get-ADUser : The term 'Get-AdUser' is not recognized as the name of a cmdlet,.........
My main question now, is how can I get the user SID information to properly change the permissions on the file? Am I missing a step somewhere? Is there a better way to change file permissions? Can I even try to change permissions for a group? I have hit a wall trying to find a solution, lol.
I have looked at the following sources for help:
link
link
link
link
link
link
link
link
I need to change a lot of sub folders's ACL rights. The folders all have the same name "06 - Offers". I've found a powershell command to "copy past" the acl rights from one folder to another. I wonder if anybody here can point me in the right direction to automate this?
It would need to search in a defined folder and change all the access rights for a specific folder in each of it's sub folders (if that makes sense).
(Get-Item 'C:\testfolder').GetAccessControl("Access") | Set-Acl -Path 'D:\realfolder'
So for example we have the folders:
D:\project\project1\06offers
D:\project\project2\06offers
d:\project\project3\06offers
etc...
And all the 06offers folders need the exact same ACL rights.
With this you should be able to create a solution which fits for you:
#Get "example" rights
$PathToExampleFolder = "PathToFile"
$MasterACL = (Get-Item $PathToExampleFolder).GetAccessControl("Access")
#Search all folders
$Folders = Get-ChildItem -Path "PathWhereTheFoldersAre" -Recurse -Filter "06offers"
#Set ACL
foreach ($folder in $Folders) {
Set-Acl -Path $folder.Fullname -AclObject $MasterACL
}
I am looking to automate the tasks like providing access to a new user on shared path through Microsoft Computer management console compmgmt.msc in windows server 2003. I am looking for power shell cmdlets for the same. Can someone please direct me to a place where I can find these.
Thanks,
Sambhav
On W2K3 you only have PSv1 or 2 and their supported .Net libraries. So you are stuck with those.
Providing access though is just setting permissions, manually or via code. You don't use PS to control the Compmgmt.msc. PS, goals really don't include GUI management.
You can grant permissions on a share, via automation, with no reason to touch a GUI.
The PSv2 (assuming you've got that on the boxes), you only have thee cmdlets
https://social.technet.microsoft.com/wiki/contents/articles/13876.powershell-2-0-cmdlets.aspx
So, from that list it is the...
Get-Acl
Set-Acl
… cmdlets you are after.
Otherwise, the below can show a different approach.
How can I set SHARE permissions using powershell v2.0?
https://social.technet.microsoft.com/Forums/ie/en-US/7fd11f99-c45b-4e8f-acb1-bd7df870a811/how-can-i-set-share-permissions-using-powershell-v20
#Creating Security Descriptor
$sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
#Creating ACE for Authenticated Users and setting it to Security Descriptor
[System.Security.Principal.NTAccount]$account="NT Authority\Authenticated Users"
[INT]$rights='1179817'
$ace = Create-WMIAce $account $rights
$sd.DACL += #($ace.psobject.baseobject) # append
$sd.ControlFlags="0x4" # set SE_DACL_PRESENT flag
#Creating ACE for Administrators and setting it to Security Descriptor
[System.Security.Principal.NTAccount]$account="BUILTIN\Administrators"
[System.Security.AccessControl.FileSystemRights]$rights='FullControl'
$ace = Create-WMIAce $account $rights
$sd.DACL += #($ace.psobject.baseobject) # append
$sd.ControlFlags="0x4" # set SE_DACL_PRESENT flag
#Setting Share Permissions
$Share = gwmi win32_share -filter "name='ShareName'"
$Share.SetShareInfo($Share.MaximumAllowed,$Share.Description,$SD)
I have a share with a file structue like so
Public ( no restrictions )
Sales ( only sales people have access )
Production ( Production only has access to this )
I created the permissions, but if someone creates a new folder in there, the permissions on that new folder is not the same as the parrent, Is there a way to force permissions ( or even a script I could run to re-set the permissions nightly )
This can be done through the GUI as a once off - click the Advanced button on the Security tab in the folder properties, and make you've disabled inheritance on your main sub folders, and then check to ensure any custom security settings apply to "this folder, sub folders and files". You may also need to check "replace all child object permissions ..." as well.
From the command prompt, you can use the command "icacls" which is really powerful and is what I tend to use when configuring permissions like this.
as u suggested, I wrote below script. Hope it could help
$folders = Get-ChildItem -Path $share -Directory
foreach ($folder in $folders)
{
$acl = Get-Acl $folder
Get-ChildItem $folder -Recurse | %{Set-Acl -Path $_.FullName -AclObject $acl}
}
I wanted to use WScript.Shell object to secure a registry path , e.g HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Registration\UserProfile.
So the objective is that , create a new permission for 'everyone' , and deny the following: Delete , Create SubKeys etc.
Googled a lot , and didn't get a deal on my specific problem , could anyone give me a hint on this point ? Thanks !
maybe this can help
$acl = Get-Acl "HKLM:\SOFTWARE\Business Objects\Registration\UserProfile"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("mycomp\everyone","FullControl","Allow") # or deny...
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path "HKLM:\SOFTWARE\Business Objects\Registration\UserProfile"
To add or remove an access rule you need to create the rule as an object of type RegistryAccessRule, and then either create or remove the rule from the ACL with the SetAccessRule() or RemoveAccessRule() methods
Just for have another example: Set-ACL on registry key