Update-ACL

1.1

Update-ACL.ps1

                                
<#PSScriptInfo

.VERSION 1.1

.GUID 62ba3115-0a50-40bc-9a05-0950528434c0

.AUTHOR jmcarthur@roundrocktexas.gov

.COMPANYNAME

.COPYRIGHT

.TAGS

.LICENSEURI

.PROJECTURI

.ICONURI

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

.PRIVATEDATA

#>

<# 

.DESCRIPTION 

 Sets Domain Admins as owner and assigns full access perms on all folders in current directory 

#> 

Param()

Function Get-Owner

{

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$true,Position=0)]$currentPath

    )

    $path = $currentPath.fullname

    $acl = get-acl $path

    #Write-Verbose ("{0}: {1}" -f $path,$acl.Owner)

    if (($acl.Owner) -and !($acl.Owner -eq $owner))

    {

        $line = [PSCustomObject]@{

            'Path' = $path

            'Current_Owner' = $acl.Owner

            'New_Owner' = $owner

        }

        Write-Verbose ("{0} is owner on {1}" -f $acl.Owner,$path)

    }

}

Function Set-Owner

{

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$true,Position=0)]$currentPath

    )

    $path = $currentPath.fullname

    try

    {

        $acl = get-acl $path -ErrorAction Stop

    }

    catch

    {

        $friendlyErrorMessage = ("Caught Exception in Set-Owner getting ACL for {0}" -f $path)

        if (!$nolog){

            Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception)

        }

    }

    if (($acl) -and !($acl.Owner -eq $owner))

    {

        $line = [PSCustomObject]@{

            'Path' = $path

            'Current_Owner' = $acl.Owner

            'New_Owner' = $owner

        }

        Write-Verbose ("Setting {0} as owner on {1}" -f $owner,$path)

        try

        {

            $line | export-csv $owner_logfile -NoTypeInformation -Append

        }

        catch

        {

            Write-Warning ("Caught Exception writing to logfile {0}: {1}" -f $owner_logfile,$_.Exception.Message)

        }

        $acl.SetOwner([System.Security.Principal.NTAccount] $owner)

        try

        {

            $acl | set-acl $path

        }

        catch

        {

            $friendlyErrorMessage = ("Caught Exception setting owner for {0}" -f $path)

            if (!$nolog){

               Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception)

            }

        }

    }

}

Function Set-Perms

{

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$true,Position=0)]$currentPath

    )

    $path = $currentPath.fullname

    #check if path is directory

    $isDirectory = ($path -is [System.IO.DirectoryInfo])

    try

    {

        $acl = get-acl $path -ErrorAction Stop

    }

    catch

    {

        $friendlyErrorMessage = ("Caught Exception in Set-Perms getting ACL for {0}" -f $path)

        if (!$nolog){

            Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception)

        }

    }

    $access = @()

    $acl.access | %{ $access += $_.IdentityReference }

    if (($acl) -and !$access.Value.Contains($owner))

    {

        $line = [PSCustomObject]@{

            'Path' = $path

            'Adding_Access' = $owner

            'Current_Sddl' = $acl.Sddl

        }

        try

        {

            $line | export-csv $access_logfile -NoTypeInformation -Append

        }

        catch

        {

            Write-Warning ("Caught Exception writing to logfile {0}: {1}" -f $access_logfile, $_.Exception.Message)

        }

        Write-Verbose ("Setting permissions on {0}" -f $path)

        if ($isDirectory)

        {

            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($owner,"FullControl","ContainerInherit,ObjectInherit","None","Allow")

        }

        else # set permissions on the file - we can't have inheritance flags on a file

        {

            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($owner,"FullControl","Allow")

        }

        $acl.SetAccessRule($rule)

        try

        {

            $acl | set-acl $path

        }

        catch

        {

            $friendlyErrorMessage = ("Caught Exception setting permissions for {0}" -f $path)

            if (!$nolog){

                Add-Content $error_logfile ("{0}`n`t{1}" -f $friendlyErrorMessage,$_.Exception)

            }

        }

    }

}

# Sets owner and ACL at folder level only

Function Run

{

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$true,Position=0)]$startingPath,

        [Parameter(Mandatory=$true,Position=1)]$shareName, # folder name for generating logfile names

        [Parameter(Mandatory=$false)][switch]$nolog

    )

    $owner = "CORR\Domain Admins"

    $owner_logfile = $("C:\Support\Logs\MigrationOwnerUpdate_" + $shareName + ".log")

    $access_logfile = $("C:\Support\Logs\MigrationAccessUpdate_" + $shareName + ".log")

    $error_logfile = $("C:\Support\Logs\MigrationErrors_" + $shareName + ".log")

    # the -Directory flag is what makes this folder-only

    gci -Path $startingPath -Directory -Recurse | %{

        Set-Owner $_

        Set-Perms $_

    }

}

# Sets owner and ACL down to file level

Function Run-Full

{

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$true,Position=0)]$startingPath,

        [Parameter(Mandatory=$true,Position=1)]$shareName, # folder name for generating logfile names

        [Parameter(Mandatory=$false)][switch]$nolog

    )

    $VerbosePreference = "Continue"

    $owner = "SetOwnerHere"

    $owner_logfile = $("C:\Support\Logs\MigrationOwnerUpdate_" + $shareName + ".log")

    $access_logfile = $("C:\Support\Logs\MigrationAccessUpdate_" + $shareName + ".log")

    $error_logfile = $("C:\Support\Logs\MigrationErrors_" + $shareName + ".log")

    gci -Path $startingPath -Recurse | %{

        Set-Owner $_

        Set-Perms $_

    }

}