Adding User or Group to a folder in PowerShell

I have created a script that will add user or group to a folder or file. The script contains a list of permissions you can choose either Full control, read, etc. I have broken down the script to small chunks to explain further how the script works.

function Add-FolderPermission 
{ 
    <# 
        .SYNOPSIS 
        This is a PowerShell script that will grant / Deny a user or a group access to a folder or file  

        .DESCRIPTION 
        The script give a user or group access to a file or folder based on permissions you select. 
        
        .EXAMPLE 
        This command will set IT group full access to folder called New Folder 
        Add-FolderPermission -MemberGroupName IT -FolderFilePath C:\NewFolder -PermissionLevel 'Full Control' -AccessType Allow 
    #> 
    [CmdletBinding()] 
    param  
    ( 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Enter Username  or Group that requires permission", 
                    ValueFromPipeline = $true, 
                    ValueFromPipelineByPropertyName = $true)] 
        [string]$MemberGroupName, 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Enter Folder or file path", 
                    ValueFromPipeline = $true, 
                    ValueFromPipelineByPropertyName = $true)] 
        [string]$FolderFilePath, 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Select Permission type")] 
        [ValidateSet('Full Control','Modify','Read','Write')] 
        [string[]]$PermissionLevel, 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Select Permission type")] 
        [ValidateSet('Allow','Deny')] 
        [string[]]$AccessType 
    ) 
    begin 
    { 
        $folder = "$FolderFilePath" 
        $acl = get-acl -path $folder 
    } 
    Process 
    { 
        $searcher = [adsisearcher]"(samaccountname=$MemberGroupName)" 
        $rtn = $searcher.findall() 
        if($rtn.count -gt 0) 
        { 
            $new=$MemberGroupName,$PermissionLevel,'ContainerInherit,ObjectInherit','None',$AccessType #ContainerInherits applies username to current folder but not sub folder or files. ObjectInhertis applies user to subfolders and files  
            $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new 
            $acl.AddAccessRule($accessRule) 
            $acl | Set-Acl $folder 
        } 
        Else 
        { 
            Write-Error -Message "Cannot find user or group" 
        } 
    } 
    end{} 
} 

The below section is where I used the function called Add-FolderPermission. Below the function, I have written a small help guide of this function such as how to run the script and the parameters used for this function.

function Add-FolderPermission 
{ 
    <# 
        .SYNOPSIS 
        This is a PowerShell script that will grant / Deny a user or a group access to a folder or file  

        .DESCRIPTION 
        The script give a user or group access to a file or folder based on permissions you select. 

        .EXAMPLE 
        This command will set IT group full access to folder called New Folder 
        Add-FolderPermission -MemberGroupName IT -FolderFilePath C:\NewFolder -PermissionLevel 'Full Control' -AccessType Allow 

    #> 

Below the help guide, I have generated parameters to use for this function. I used the following parameters 

  • MemberGroupName 
  • FolderPathName 
  • PermissionLevel 
  • AccessType  

All of these parameters are mandatory as they are required to grant user or group access to a file or folder. The $MemberGroupName parameter is either a username or group name to grant / deny access. The $FolderPathName parameter is the path of the file and folder. $PermissionLevel contains a list of permissions to allocate to a username or group. The list contains: 

  • Full Control 
  • Modify 
  • Read 
  • Write 

The $AccessType parameter contains two items to choose either Allow or Deny access to file or folder.

[CmdletBinding()] 
    param  
    ( 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Enter Username  or Group that requires permission", 
                    ValueFromPipeline = $true, 
                    ValueFromPipelineByPropertyName = $true)] 
        [string]$MemberGroupName, 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Enter Folder or file path", 
                    ValueFromPipeline = $true, 
                    ValueFromPipelineByPropertyName = $true)] 
        [string]$FolderFilePath, 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Select Permission type")] 
        [ValidateSet('Full Control','Modify','Read','Write')] 
        [string[]]$PermissionLevel, 
        [Parameter(Mandatory = $true, 
                    HelpMessage ="Select Permission type")] 
        [ValidateSet('Allow','Deny')] 
        [string[]]$AccessType 
    ) 

Below the parameters, contains begin statement that has two variables. I used $folder variable that references $FolderFilePath parameter and I used $acl. This variable contains get-acl cmdlet that will get the security permissions of file/path specified in $folder and saves into $acl variable.  

begin 
    { 
        $folder = "$FolderFilePath" 
        $acl = get-acl -path $folder
    } 

After the Below statement, I used process statement where the main code happens. I want to check if username or group exists in DC server and store the result in $rtn variable. Once I stored the result, I ran an IF statement to check if there is a value by using greater than statement. 

Process 
    { 
        $searcher = [adsisearcher]"(samaccountname=$MemberGroupName)" 
        $rtn = $searcher.findall() 
        if($rtn.count -gt 0) 
        { 

If there is a value, run the following code will execute

$new=$MemberGroupName,$PermissionLevel,'ContainerInherit,ObjectInherit','None',$AccessType #ContainerInherits applies username to current folder but not sub folder or files. ObjectInhertis applies user to subfolders and files  
            $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new 
            $acl.AddAccessRule($accessRule) 
            $acl | Set-Acl $folder
        } 

The $new variable contains the permissions of the folder and is set based on the parameters values you specify. I then used $accessRule with AccessControl.FileSystemAccessRule to include $new variable. This adds an entry in Access Control List known as Access Control Entry. I then added the access rule to the $acl variable and then ran $acl | set-acl $folder to apply the permissions to the folder.

If there is no value in $rtn variable, an error will appear. The error is mentioned in the else statement “Cannot find user or group” 

Leave a Reply

Your email address will not be published.