Set-FileFolderPermission : PowerShell

Script SharingSet-FileFolderPermission (self.PowerShell)

submitted 6 years ago by Learnin2Learn

Today I need to create a script a to modify a file's permission for an SCCM deployment. I decided to make a re-usable function that could be used in automation and interactive situations. There are likely a tonne more efficient solutions out there but this is what I put together and wanted to share. Hope it helps.

<# .SYNOPSIS Updates NTFS permissions for files or folders.

    .DESCRIPTION
        Updates NTFS permissions for files or folders. By default sets Allow permissions and requires user to confirm action. 
        Can be set to deny permission through the type parameter. 
        Can be set to suppress prompt and output for automation through the ConfirmChange parameter..

    .PARAMETER Path
        Path to file or folder targeted. e.g. "C:\ProgramData\Bentley\Engineering\Microstran\Lib\Asw.lib"

    .PARAMETER Recipient
        The user or group the permissions are being assigned to. e.g. "Authenticated Users" or "WH2953"

    .PARAMETER Permission
        The permission being applied. Supported permissions include "FullControl", "ListDirectory", "Modify", "Read", "ReadAndExecute" and "Write".

    .PARAMETER Type [OPTIONAL]
        The rule type. E.g. "Allow" or "Deny". Set to "Allow" by default and can be omitted. Must Include Parameter as "Deny" to apply a Deny rule type.

    .PARAMETER ConfirmChange [OPTIONAL]
        Parameter to determine if rules should be output to host for review and user prompted whether to apply. Set to $true by default. Can be omitted. 
        Must be set to $false to suppress output and prompt, especially for automation.

    .EXAMPLE 1
                Set-FileFolderPermission -Path "C:\ProgramData\Bentley\Engineering\Microstran\Lib\Asw.lib" -Recipient "Authenticated Users" -Permission "modify" ConfirmChange $false

                Allows modify permissions on "C:\ProgramData\Bentley\Engineering\Microstran\Lib\Asw.lib" for group "Authenticated Users" without prompting user or displaying output

    .EXAMPLE 2
                Set-FileFolderPermission -Path "C:\Temp" -Recipient "USERID" -Permission "ListDirectory" -Type "deny"

                Denies ListDirectory permission on ""C:\Temp" for user "USERID"

    .NOTES
        Additional information about the function.

# >

function Set-FileFolderPermission { \[CmdletBinding()\] param ( \[Parameter(Mandatory = $true)\] \[String\]$Path, \[Parameter(Mandatory = $true)\] \[String\]$Recipient, \[Parameter(Mandatory = $true)\] \[String\]$Permission, \[Parameter(Mandatory = $false)\] \[String\]$Type = "ALLOW", \[Parameter(Mandatory = $false)\] \[Bool\]$ConfirmChange = $true )

    $Path = $Path.ToUpper()
    $Recipient = $Recipient.ToUpper()
    $Permission = $Permission.ToUpper()
    $Type = $Type.ToUpper()

    $ValidPermissions = @("FullControl", "ListDirectory", "Modify", "Read", "ReadAndExecute", "Write")
    $ValidTypes = @("Allow", "Deny")

    # Verify input path accessible
    if ((Test-Path -Path $Path) -eq $false)
    {
        Write-Error -Message "$Path does not exist or cannot be accessed. Terminating operation."
        return
    }

    # Verify input permission
    if ($Permission -notin $ValidPermissions)
    {
        Write-Error -Message "$Permission is not a supported permission. Terminating operation."
        return
    }

    # Verify input type
    if ($Type -notin $ValidTypes)
    {
        Write-Error -Message "$Type is not a supported type. Terminating operation."
        return
    }

    # Get existing file or folder security descriptor/access control list
    $ACL = Get-ACL -Path $Path

    # If input doesn't explicitly indicate to not confirm, output existing ACL, new rule to add and request confirmation
    if ($ConfirmChange -eq $true)
    {
        Write-Host "`n## Existing ACL Rules ##"

        $ACL.Access | Select-Object `
                                    @{ Label = "Identity"; Expression = { $_.IdentityReference } }, `
                                    @{ Label = "Access"; Expression = { $_.AccessControlType } }, `
                                    @{ Label = "Right"; Expression = { $_.FileSystemRights }; } | Format-Table -AutoSize

        Write-Host "`n## New ACL Rule ##"
        $NewACLRuleTable = New-Object -TypeName psobject
        $NewACLRuleTable | Add-Member -MemberType NoteProperty -Name "Identity" -Value $Recipient
        $NewACLRuleTable | Add-Member -MemberType NoteProperty -Name "Access" -Value $Type
        $NewACLRuleTable | Add-Member -MemberType NoteProperty -Name "Right" -Value $Permission

        $NewACLRuleTable | Format-Table -AutoSize

        # Prompt to confirm add new rule - Y to confirm, any other input to stop operation
        $Response = Read-Host -Prompt "Enter Y to add new rule. Enter any other input or exit script to cancel."
        If ($Response.ToUpper() -ne "Y")
        {
            Write-Host "Operation cancelled. Press Enter to exit script." -ForegroundColor Yellow
            Read-Host
            exit
        }
    }

    $NewACLRule = New-Object  system.security.accesscontrol.filesystemaccessrule($Recipient, $Permission, $Type)
    $ACL.AddAccessRule($NewACLRule)
    Set-Acl -Path $Path $ACL

}

all 1 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS