52 lines
2.4 KiB
PowerShell
52 lines
2.4 KiB
PowerShell
#zebra - 10/20/23
|
|
#assigns NTFS permissions to the child folders of a given folder defined in $rootFolder according to the folder name.
|
|
#this script can be used to fix NTFS permissions for redirected profiles.
|
|
#e.g. if a folder is named jdoe, it will give NTFS permissions to contoso\jdoe
|
|
#can be configured to specify a domain or workgroup.
|
|
|
|
# Define the root folder where you want to perform the permission changes
|
|
$rootFolder = "C:\temp\Permissions Test"
|
|
|
|
# Get a list of subfolders in the root folder
|
|
$subfolders = Get-ChildItem -Path $rootFolder -Directory
|
|
|
|
# Iterate through each subfolder
|
|
foreach ($subfolder in $subfolders) {
|
|
$folderName = $subfolder.Name
|
|
$accountName = "IZEBRA\$folderName" # For domain accounts, add the netBIOS domain name before $folderName.
|
|
# For example, CONTOSO\$foldername will make the script add permissions for CONTOSO\bob for folder "bob".
|
|
|
|
# For local accounts, remove the domain name and the trailing slash so that $accountName = $folderName.
|
|
|
|
# Remove existing NTFS permissions and get a list of removed permissions
|
|
$acl = Get-Acl $subfolder.FullName
|
|
$removedPermissions = @()
|
|
|
|
$acl.SetAccessRuleProtection($true, $true) # Disable inheritance and remove inherited permissions
|
|
|
|
$acl.Access | ForEach-Object {
|
|
if ($_.IdentityReference.Value -ne "BUILTIN\Administrators") { # Exclude Administrators group if needed
|
|
$removedPermissions += $_
|
|
$acl.RemoveAccessRule($_)
|
|
}
|
|
}
|
|
|
|
# Apply new NTFS permissions, and skip if it fails
|
|
try {
|
|
$permission = New-Object System.Security.AccessControl.FileSystemAccessRule($accountName, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
|
|
$acl.AddAccessRule($permission)
|
|
Set-Acl -Path $subfolder.FullName -AclObject $acl
|
|
Write-Host "Permissions updated for folder $folderName. $accountName now has Full Control."
|
|
} catch {
|
|
Write-Host "Failed to update permissions for $folderName. Skipping the folder."
|
|
}
|
|
|
|
# Print the removed permissions
|
|
if ($removedPermissions.Count -gt 0) {
|
|
Write-Host "Old permissions for $folderName go as follows: "
|
|
$removedPermissions | ForEach-Object {
|
|
Write-Host ("{0} - {1}" -f $_.IdentityReference, $_.FileSystemRights)
|
|
}
|
|
}
|
|
}
|