cEPRSFolderPermissions.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
enum Ensure
{
    Present
    Absent
}
enum Rights
{
    ReadAndExecute
    Modify
    FullControl
    Read
    Write
}
enum Access
{
    Allow
    Deny
}
[DscResource()]
class cEPRSFolderPermissions
{
[DscProperty(Key)][String] $Path
[DscProperty(Key)][String] $Account
[DscProperty()] [string] $Rights
[DscProperty()] [Ensure] $Ensure
[DscProperty()] [string] $Access
[DscProperty()] [Bool]$NoInherit = $false

[cEPRSFolderPermissions] Get()
{
    $InheritFlag = if($this.NoInherit){ "None" }else{ "ContainerInherit, ObjectInherit" }
    $DesiredRule = New-Object System.Security.AccessControl.FileSystemAccessRule($this.Account, $this.Rights, $InheritFlag, "None", $this.Access)
    $CurrentACL = (Get-Item $this.Path).GetAccessControl("Access")
            $CurrentRules = $CurrentACL.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
        $Match = $CurrentRules |?{ ($DesiredRule.IdentityReference -eq $_.IdentityReference) -and 
                                    ($DesiredRule.FileSystemRights -eq $_.FileSystemRights) -and 
                                    ($DesiredRule.AccessControlType -eq $_.AccessControlType) -and 
                                    ($DesiredRule.InheritanceFlags -eq $_.InheritanceFlags )}

           $Presence = if($Match){"Present"}else{"Absent"}

        $output = @{
                    Ensure = $this.Presence;
                    Path = $this.Path;
                    Account = $this.Account;
                    Rights = $this.Rights;
                    Access = $this.Access;
                    NoInherit = $this.NoInherit;
                    }

        return $output
}

[bool] Test()

{

          $InheritFlag = if($this.NoInherit){ "None" }else{ "ContainerInherit, ObjectInherit" }

        $DesiredRule = New-Object System.Security.AccessControl.FileSystemAccessRule($this.Account, $this.Rights, $InheritFlag, "None", $this.Access)

        $CurrentACL = (Get-Item $this.Path).GetAccessControl("Access")
        $CurrentRules = $CurrentACL.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
        $Match = $CurrentRules |?{ ($DesiredRule.IdentityReference -eq $_.IdentityReference) -and 
                                    ($DesiredRule.FileSystemRights -eq $_.FileSystemRights) -and 
                                    ($DesiredRule.AccessControlType -eq $_.AccessControlType) -and  
                                    ($DesiredRule.InheritanceFlags -eq $_.InheritanceFlags )}

        $Presence = if($Match){"Present"}else{"Absent"}
        return $Presence -eq $this.Ensure
}

[void] Set()
{
         $InheritFlag = if($this.NoInherit){ "None" }else{ "ContainerInherit, ObjectInherit" }

        $DesiredRule = New-Object System.Security.AccessControl.FileSystemAccessRule($this.Account, $this.Rights, $InheritFlag, "None", $this.Access)
        $CurrentACL = (Get-Item $this.Path).GetAccessControl("Access")

        if($this.Ensure -eq [Ensure]::Present)
        {
            $CurrentACL.AddAccessRule($DesiredRule)
            Set-Acl $this.Path $CurrentACL
        }
        else
        {
            $CurrentRules = $CurrentACL.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
            $Match = $CurrentRules |?{ ($DesiredRule.IdentityReference -eq $_.IdentityReference) -and 
                                    ($DesiredRule.FileSystemRights -eq $_.FileSystemRights) -and 
                                    ($DesiredRule.AccessControlType -eq $_.AccessControlType) -and  
                                    ($DesiredRule.InheritanceFlags -eq $_.InheritanceFlags )}

            $Match | % {[void]$CurrentACL.RemoveAccessRule($_)}
            Set-Acl $this.Path $CurrentACL
        }
}
}