I have created a script that will add user or group to a folder or file. The script contains a list of permissions you can choose either Full control, read, etc. I have broken down the script to small chunks to explain further how the script works.
function Add-FolderPermission
{
<#
.SYNOPSIS
This is a PowerShell script that will grant / Deny a user or a group access to a folder or file
.DESCRIPTION
The script give a user or group access to a file or folder based on permissions you select.
.EXAMPLE
This command will set IT group full access to folder called New Folder
Add-FolderPermission -MemberGroupName IT -FolderFilePath C:\NewFolder -PermissionLevel 'Full Control' -AccessType Allow
#>
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true,
HelpMessage ="Enter Username or Group that requires permission",
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[string]$MemberGroupName,
[Parameter(Mandatory = $true,
HelpMessage ="Enter Folder or file path",
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[string]$FolderFilePath,
[Parameter(Mandatory = $true,
HelpMessage ="Select Permission type")]
[ValidateSet('Full Control','Modify','Read','Write')]
[string[]]$PermissionLevel,
[Parameter(Mandatory = $true,
HelpMessage ="Select Permission type")]
[ValidateSet('Allow','Deny')]
[string[]]$AccessType
)
begin
{
$folder = "$FolderFilePath"
$acl = get-acl -path $folder
}
Process
{
$searcher = [adsisearcher]"(samaccountname=$MemberGroupName)"
$rtn = $searcher.findall()
if($rtn.count -gt 0)
{
$new=$MemberGroupName,$PermissionLevel,'ContainerInherit,ObjectInherit','None',$AccessType #ContainerInherits applies username to current folder but not sub folder or files. ObjectInhertis applies user to subfolders and files
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new
$acl.AddAccessRule($accessRule)
$acl | Set-Acl $folder
}
Else
{
Write-Error -Message "Cannot find user or group"
}
}
end{}
} The below section is where I used the function called Add-FolderPermission. Below the function, I have written a small help guide of this function such as how to run the script and the parameters used for this function.
function Add-FolderPermission
{
<#
.SYNOPSIS
This is a PowerShell script that will grant / Deny a user or a group access to a folder or file
.DESCRIPTION
The script give a user or group access to a file or folder based on permissions you select.
.EXAMPLE
This command will set IT group full access to folder called New Folder
Add-FolderPermission -MemberGroupName IT -FolderFilePath C:\NewFolder -PermissionLevel 'Full Control' -AccessType Allow
#> Below the help guide, I have generated parameters to use for this function. I used the following parameters
- MemberGroupName
- FolderPathName
- PermissionLevel
- AccessType
All of these parameters are mandatory as they are required to grant user or group access to a file or folder. The $MemberGroupName parameter is either a username or group name to grant / deny access. The $FolderPathName parameter is the path of the file and folder. $PermissionLevel contains a list of permissions to allocate to a username or group. The list contains:
- Full Control
- Modify
- Read
- Write
The $AccessType parameter contains two items to choose either Allow or Deny access to file or folder.
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true,
HelpMessage ="Enter Username or Group that requires permission",
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[string]$MemberGroupName,
[Parameter(Mandatory = $true,
HelpMessage ="Enter Folder or file path",
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true)]
[string]$FolderFilePath,
[Parameter(Mandatory = $true,
HelpMessage ="Select Permission type")]
[ValidateSet('Full Control','Modify','Read','Write')]
[string[]]$PermissionLevel,
[Parameter(Mandatory = $true,
HelpMessage ="Select Permission type")]
[ValidateSet('Allow','Deny')]
[string[]]$AccessType
) Below the parameters, contains begin statement that has two variables. I used $folder variable that references $FolderFilePath parameter and I used $acl. This variable contains get-acl cmdlet that will get the security permissions of file/path specified in $folder and saves into $acl variable.
begin
{
$folder = "$FolderFilePath"
$acl = get-acl -path $folder
} After the Below statement, I used process statement where the main code happens. I want to check if username or group exists in DC server and store the result in $rtn variable. Once I stored the result, I ran an IF statement to check if there is a value by using greater than statement.
Process
{
$searcher = [adsisearcher]"(samaccountname=$MemberGroupName)"
$rtn = $searcher.findall()
if($rtn.count -gt 0)
{ If there is a value, run the following code will execute
$new=$MemberGroupName,$PermissionLevel,'ContainerInherit,ObjectInherit','None',$AccessType #ContainerInherits applies username to current folder but not sub folder or files. ObjectInhertis applies user to subfolders and files
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new
$acl.AddAccessRule($accessRule)
$acl | Set-Acl $folder
} The $new variable contains the permissions of the folder and is set based on the parameters values you specify. I then used $accessRule with AccessControl.FileSystemAccessRule to include $new variable. This adds an entry in Access Control List known as Access Control Entry. I then added the access rule to the $acl variable and then ran $acl | set-acl $folder to apply the permissions to the folder.
If there is no value in $rtn variable, an error will appear. The error is mentioned in the else statement “Cannot find user or group”