Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, February 21, 2018 12:40 AM
I need to apply some ACLs to some "master" folders granting different AD groups read permission the the master folder only.
2 questions...
1) when I use:
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($GRead.SID, "Read,ReadAndExecute,ListDirectory","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
$acl | Set-Acl -ErrorAction Continue -ErrorVariable Err
($GRead.SID holds the SID of the AD group that needs the permission)
the command will cycle thru all child folders and files, changing nothing on them (the acl is set to "this folder only"). The subfolders are HUGE so I'd like to skip that... is there a way to do it?
2) I need to apply multiple ACLs like the one before to the same huge folder. If I'm unable to skip the "child cycling", at least would be nice to group all the ACLs for a folder in one single set-acl command. Is that possible?
Thanks!
Dario Palermo
All replies (5)
Thursday, February 22, 2018 5:55 AM
Hi Dario,
For the first question, do you mean that you want to grant one AD group read access to one single folder and the ACL applies to "This folder only"? If yes, the following demo script for your reference:
$group = Get-ADGroup -Identity 'YourGroup'
$path = 'C:\MasterFolder'
$acl = Get-Acl -Path $path
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($group, 'ReadAndExecute', 'None', 'None', 'Allow')
$acl.SetAccessRule($accessRule)
Set-Acl -Path $path -AclObject $acl
For the second question, do you mean that you want to grant multiple AD groups read access to one single folder? If yes, you can set multiple ACLs at once:
$group1 = Get-ADGroup -Identity 'YourGroup1'
$group2 = Get-ADGroup -Identity 'YourGroup2'
$path = 'C:\MasterFolder'
$acl = Get-Acl -Path $path
$accessRule1 = New-Object System.Security.AccessControl.FileSystemAccessRule($group1, 'ReadAndExecute', 'None', 'None', 'Allow')
$accessRule2 = New-Object System.Security.AccessControl.FileSystemAccessRule($group2, 'ReadAndExecute', 'None', 'None', 'Allow')
$acl.SetAccessRule($accessRule1)
$acl.SetAccessRule($accessRule2)
Set-Acl -Path $path -AclObject $acl
In addition, I recommend using icacls.exe, it is more convenient to use.
If you need further help, please feel free to let us know.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Saturday, February 24, 2018 1:08 PM
For the question 1, I posted the wrong script section. The rule I'm having trouble with is this
New-Object System.Security.AccessControl.FileSystemAccessRule($GRead.SID, "Read,ReadAndExecute,ListDirectory","None","InheritOnly","Allow")
To apply a this folder only permission. Still, the system will do something - some sort of unnecessary check - on all subfolder and files. The same happens if I use the GUI.
For the question 2, thanks!
Bye, Dario
Dario Palermo
Monday, February 26, 2018 7:23 AM
Hi Dario,
"InheritOnly" means "Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.".
Please have a try to use "None" and see if the issue still remains.
Please let us know if you would like further assistance.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, February 28, 2018 5:21 AM
Hi,
Just want to confirm the current situations. Have you tried the method provided before?
If you already tried them or the issue remains after trying them, please don’t hesitate to tell me. I will do more research and try my best to give you helpful suggestions.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, March 5, 2018 6:05 AM
Hi,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Appreciate for your feedback.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]