Update-ACL.ps1
<#PSScriptInfo .VERSION 1.1 .GUID 62ba3115-0a50-40bc-9a05-0950528434c0 .AUTHOR jmcarthur@roundrocktexas.gov .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> <# .DESCRIPTION Sets Domain Admins as owner and assigns full access perms on all folders in current directory #> Param() Function Get-Owner { [CmdletBinding()] Param( [Parameter(Mandatory=$true,Position=0)]$currentPath ) $path = $currentPath.fullname $acl = get-acl $path #Write-Verbose ("{0}: {1}" -f $path,$acl.Owner) if (($acl.Owner) -and !($acl.Owner -eq $owner)) { $line = [PSCustomObject]@{ 'Path' = $path 'Current_Owner' = $acl.Owner 'New_Owner' = $owner } Write-Verbose ("{0} is owner on {1}" -f $acl.Owner,$path) } } Function Set-Owner { [CmdletBinding()] Param( [Parameter(Mandatory=$true,Position=0)]$currentPath ) $path = $currentPath.fullname try { $acl = get-acl $path -ErrorAction Stop } catch { $friendlyErrorMessage = ("Caught Exception in Set-Owner getting ACL for {0}" -f $path) if (!$nolog){ Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception) } } if (($acl) -and !($acl.Owner -eq $owner)) { $line = [PSCustomObject]@{ 'Path' = $path 'Current_Owner' = $acl.Owner 'New_Owner' = $owner } Write-Verbose ("Setting {0} as owner on {1}" -f $owner,$path) try { $line | export-csv $owner_logfile -NoTypeInformation -Append } catch { Write-Warning ("Caught Exception writing to logfile {0}: {1}" -f $owner_logfile,$_.Exception.Message) } $acl.SetOwner([System.Security.Principal.NTAccount] $owner) try { $acl | set-acl $path } catch { $friendlyErrorMessage = ("Caught Exception setting owner for {0}" -f $path) if (!$nolog){ Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception) } } } } Function Set-Perms { [CmdletBinding()] Param( [Parameter(Mandatory=$true,Position=0)]$currentPath ) $path = $currentPath.fullname #check if path is directory $isDirectory = ($path -is [System.IO.DirectoryInfo]) try { $acl = get-acl $path -ErrorAction Stop } catch { $friendlyErrorMessage = ("Caught Exception in Set-Perms getting ACL for {0}" -f $path) if (!$nolog){ Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception) } } $access = @() $acl.access | %{ $access += $_.IdentityReference } if (($acl) -and !$access.Value.Contains($owner)) { $line = [PSCustomObject]@{ 'Path' = $path 'Adding_Access' = $owner 'Current_Sddl' = $acl.Sddl } try { $line | export-csv $access_logfile -NoTypeInformation -Append } catch { Write-Warning ("Caught Exception writing to logfile {0}: {1}" -f $access_logfile, $_.Exception.Message) } Write-Verbose ("Setting permissions on {0}" -f $path) if ($isDirectory) { $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($owner,"FullControl","ContainerInherit,ObjectInherit","None","Allow") } else # set permissions on the file - we can't have inheritance flags on a file { $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($owner,"FullControl","Allow") } $acl.SetAccessRule($rule) try { $acl | set-acl $path } catch { $friendlyErrorMessage = ("Caught Exception setting permissions for {0}" -f $path) if (!$nolog){ Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception) } } } } # Sets owner and ACL at folder level only Function Run { [CmdletBinding()] Param( [Parameter(Mandatory=$true,Position=0)]$startingPath, [Parameter(Mandatory=$true,Position=1)]$shareName, # folder name for generating logfile names [Parameter(Mandatory=$false)][switch]$nolog ) $owner = "CORR\Domain Admins" $owner_logfile = $("C:\Support\Logs\MigrationOwnerUpdate_" + $shareName + ".log") $access_logfile = $("C:\Support\Logs\MigrationAccessUpdate_" + $shareName + ".log") $error_logfile = $("C:\Support\Logs\MigrationErrors_" + $shareName + ".log") # the -Directory flag is what makes this folder-only gci -Path $startingPath -Directory -Recurse | %{ Set-Owner $_ Set-Perms $_ } } # Sets owner and ACL down to file level Function Run-Full { [CmdletBinding()] Param( [Parameter(Mandatory=$true,Position=0)]$startingPath, [Parameter(Mandatory=$true,Position=1)]$shareName, # folder name for generating logfile names [Parameter(Mandatory=$false)][switch]$nolog ) $VerbosePreference = "Continue" $owner = "SetOwnerHere" $owner_logfile = $("C:\Support\Logs\MigrationOwnerUpdate_" + $shareName + ".log") $access_logfile = $("C:\Support\Logs\MigrationAccessUpdate_" + $shareName + ".log") $error_logfile = $("C:\Support\Logs\MigrationErrors_" + $shareName + ".log") gci -Path $startingPath -Recurse | %{ Set-Owner $_ Set-Perms $_ } } |