#zebra - 10/20/23
#assigns NTFS permissions to the child folders of a given folder defined in $rootFolder according to the folder name.
#this script can be used to fix NTFS permissions for redirected profiles.
#e.g. if a folder is named jdoe, it will give NTFS permissions to contoso\jdoe
#can be configured to specify a domain or workgroup.

# Define the root folder where you want to perform the permission changes
$rootFolder = "C:\temp\Permissions Test"

# Get a list of subfolders in the root folder
$subfolders = Get-ChildItem -Path $rootFolder -Directory

# Iterate through each subfolder
foreach ($subfolder in $subfolders) {
    $folderName = $subfolder.Name
    $accountName = "IZEBRA\$folderName"  # For domain accounts, add the netBIOS domain name before $folderName. 
                                         # For example, CONTOSO\$foldername will make the script add permissions for CONTOSO\bob for folder "bob". 

                                         # For local accounts, remove the domain name and the trailing slash so that $accountName = $folderName.

        # Remove existing NTFS permissions and get a list of removed permissions
        $acl = Get-Acl $subfolder.FullName
        $removedPermissions = @()

        $acl.SetAccessRuleProtection($true, $true)  # Disable inheritance and remove inherited permissions

        $acl.Access | ForEach-Object {
            if ($_.IdentityReference.Value -ne "BUILTIN\Administrators") {  # Exclude Administrators group if needed
                $removedPermissions += $_
                $acl.RemoveAccessRule($_)
            }
        }

        # Apply new NTFS permissions, and skip if it fails
        try {
            $permission = New-Object System.Security.AccessControl.FileSystemAccessRule($accountName, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
            $acl.AddAccessRule($permission)
            Set-Acl -Path $subfolder.FullName -AclObject $acl
            Write-Host "Permissions updated for folder $folderName. $accountName now has Full Control."
        } catch {
            Write-Host "Failed to update permissions for $folderName. Skipping the folder."
        }

        # Print the removed permissions
        if ($removedPermissions.Count -gt 0) {
            Write-Host "Old permissions for $folderName go as follows: "
            $removedPermissions | ForEach-Object {
                Write-Host ("{0} - {1}" -f $_.IdentityReference, $_.FileSystemRights)
            }
        }
}