rmm-scripts/redirected-profiles-folder-permissions.ps1
2023-10-24 13:41:43 -07:00

52 lines
2.4 KiB
PowerShell

#zebra - 10/20/23
#assigns NTFS permissions to the child folders of a given folder defined in $rootFolder according to the folder name.
#this script can be used to fix NTFS permissions for redirected profiles.
#e.g. if a folder is named jdoe, it will give NTFS permissions to contoso\jdoe
#can be configured to specify a domain or workgroup.
# Define the root folder where you want to perform the permission changes
$rootFolder = "C:\temp\Permissions Test"
# Get a list of subfolders in the root folder
$subfolders = Get-ChildItem -Path $rootFolder -Directory
# Iterate through each subfolder
foreach ($subfolder in $subfolders) {
$folderName = $subfolder.Name
$accountName = "IZEBRA\$folderName" # For domain accounts, add the netBIOS domain name before $folderName.
# For example, CONTOSO\$foldername will make the script add permissions for CONTOSO\bob for folder "bob".
# For local accounts, remove the domain name and the trailing slash so that $accountName = $folderName.
# Remove existing NTFS permissions and get a list of removed permissions
$acl = Get-Acl $subfolder.FullName
$removedPermissions = @()
$acl.SetAccessRuleProtection($true, $true) # Disable inheritance and remove inherited permissions
$acl.Access | ForEach-Object {
if ($_.IdentityReference.Value -ne "BUILTIN\Administrators") { # Exclude Administrators group if needed
$removedPermissions += $_
$acl.RemoveAccessRule($_)
}
}
# Apply new NTFS permissions, and skip if it fails
try {
$permission = New-Object System.Security.AccessControl.FileSystemAccessRule($accountName, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($permission)
Set-Acl -Path $subfolder.FullName -AclObject $acl
Write-Host "Permissions updated for folder $folderName. $accountName now has Full Control."
} catch {
Write-Host "Failed to update permissions for $folderName. Skipping the folder."
}
# Print the removed permissions
if ($removedPermissions.Count -gt 0) {
Write-Host "Old permissions for $folderName go as follows: "
$removedPermissions | ForEach-Object {
Write-Host ("{0} - {1}" -f $_.IdentityReference, $_.FileSystemRights)
}
}
}