We’ll start with inheritance.Sometime (when creating folder for roaming profiles),we need to disable inheritance in order to avoid users to access other user’s folders.
$acl = Get-Item $dir |get-acl
$acl.SetAccessRuleProtection($true,$true)
$acl |Set-Acl
First,we export ACL’s to variable,then in SetAccessRuleProtection($true,$true)
we are actually managing permissions.First parameter enables ($true),or disables ($false) inheritance
,while the second one manages Access control entries (ACE), ($true-keep current ACE’s,$false-remove them and start with new ones)
And third line simply applies our decisons
Setting NTFS permissions
To set NTFS permissions,we first need to install File System Security PowerShell Module
To see current NTFS permissions type
Get-Item “c:\1” | Get-NTFSAccess
To set permissions we need to type:
Add-NTFSAccess -Path C:\1 -Account ‘example\Authenticated Users ‘ -AccessRights’Fullcontrol
For removing permissions
Remove-NTFSAccess -Path “c:\1” -Account “example\domain users” -AccessRights FullControl
Inherited permissions cannot be removed
To remove all NTFS permissions for account
Get-ChildItem -Path c:\1 -Recurse |
Get-NTFSAccess -Account “example\test group” -ExcludeInherited |
Remove-NTFSAccess
Get-ChildItem with -recurse switch procesess files and folders recusively
Setting ACE permissions
Flag combinations can be found on microsoft site:
https://msdn.microsoft.com/en-us/library/ms229747%28v=vs.110%29.aspx
From this table we can combine flags and apply them to folders,subfolders or files,for example,to set ACE’s
to Full control for Folder (folder test has no subfolders):
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, none”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]”FullControl”
$acl=get-acl c:\test
$AccessRule=NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule(“test group”,$FileSystemAccessRights,$InheritanceFlags,$PropagationFlags,$AccessControl)
$Acl | set-acl c:\test
I have been trying to get the module loaded in my powershell but I keep on getting the message Import-Module : File C:\windows\system32\WindowsPowerShell\v1.0\Modules\NTFSSecurity\NTFSSecurity.Init.ps1
cannot be loaded. The file C:\windows\system32\WindowsPowerShell\v1.0\Modules\NTFSSecurity\NTFSSecurity.Init.ps1 is not digitally
signed. You cannot run this script on the current system.
How can I get this module loaded?
LikeLike
https://www.concurrency.com/blog/w/powershell-is-not-digitally-signed-set-executionpo
LikeLike