FileAclTools.psm1
|
<#
.Synopsis Wrapper for ACLs to allow easy setting or resetting. .DESCRIPTION Wrapper for ACLs to allow easy setting or resetting. .EXAMPLE Reset-FolderPermission -Path "\\sever.name.ext\share\path\childpath" -ReplaceOwner -ResetInheritance #> function Add-FolderAcl { [CmdletBinding()] [Alias("Add-FolderPermission")] [OutputType([System.IO.DirectoryInfo])] Param ( # Directory to perfom ACL modification (accepts directoryinfo, a string that resolves to a directory, etc). [Parameter(Mandatory=$true, ValueFromPipeline=$true, Position=0)] [ValidateScript({Test-Path -Path $_})] [System.IO.DirectoryInfo[]] $Path, # Add ACE granting full control to builtin administrators group. [Parameter(Mandatory=$false, ValueFromPipeline=$false, Position=1)] [Switch] $AddAdministrators=$false, # Replace owner with builtin administrators group. [Parameter(Mandatory=$false, ValueFromPipeline=$false, Position=2)] [Switch] $ReplaceOwner=$false, # Add ACE granting full control to the local system identity. [Parameter(Mandatory=$false, ValueFromPipeline=$false, Position=3)] [Switch] $AddSystem=$true, # Enable ACL inheritance from parent. [Parameter(Mandatory=$false, ValueFromPipeline=$false, Position=4)] [Switch] $ResetInheritance=$false, # Reset the entire ACL. Enables inheritance and removes direct ACL entries. Use sparingly. [Parameter(Mandatory=$false, ValueFromPipeline=$false, Position=4)] [Switch] $ResetAcl=$false ) Begin { $Administrators = [System.Security.Principal.SecurityIdentifier]::new("BA") $AdminsFullControlAce = [System.Security.AccessControl.FileSystemAccessRule]::new( [System.Security.Principal.IdentityReference]([System.Security.Principal.SecurityIdentifier]::new("BA")), [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit+[System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow ) $SystemFullControlAce = [System.Security.AccessControl.FileSystemAccessRule]::new( [System.Security.Principal.IdentityReference]([System.Security.Principal.SecurityIdentifier]::new("SY")), [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit+[System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow ) } Process { $Path | ForEach-Object { $acl = $null $acl = Get-Acl -Path $_ If ($acl) { If ($ResetAcl) { Write-Verbose "Resetting ACL on `"$_`"" $acl.SetAccessRuleProtection($false,$false) $acl.Access | Where-Object { $_.isinherited -eq $false } | ForEach-Object { $acl.RemoveAccessRule($_) } } If ($ReplaceOwner) { Write-Verbose "Replacing owner on `"$_`"" $acl.SetOwner($Administrators) } If ($AddAdministrators) { Write-Verbose "Adding full access for BUILTIN\Administrators on `"$_`"" $acl.AddAccessRule($AdminsFullControlAce) } If ($AddSystem) { Write-Verbose "Adding full access for BUILTIN\LocalSystem on `"$_`"" $acl.AddAccessRule($SystemFullControlAce) } If ($ResetInheritance) { Write-Verbose "Resetting inheritance on `"$_`"" $acl.SetAccessRuleProtection($false,$false) } } $acl | Set-Acl } } End { } } |