Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, December 3, 2019 5:25 AM
Hi!
I want to grant permissions for support personnel in the file server structure.
But I want to grant permissions in a specific folder and subfolders only where the inheritance was blocked, because in folders where the inheritance was not blocked is not necessary to apply explicit permissions (they receive implicit permissions by inheritance).
I tried the command "icacls folder /q /c /t /grant group:(CI)(Permissions)", but it configures explicit permissions in subfolders where the inheritance was and was not blocked.
Is there any way to grant permissions only to subfolders where inheritance was blocked? or there is a good reason to leave it in that way, having subfolders where inheritance was not blocked with duplicated permissions, a set of implicit and explicit permissions?
thanks
Cristian L Ruiz
All replies (4)
Wednesday, December 4, 2019 3:23 AM
Hi,
Thanks for posting here!
Based on my understanding , now you don't know the situation of the inheritance was blocked or not for all the subfolders , and you want to use command to grant to permission to subfolders only with the inheritance was blocked,right?
If i have any misunderstanding , please feel free to let me know .
Based on my experience, explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
So in your situation , if you have large quantity of subfolders to grant permissions , you can set explicit permissions directory even if the inheritance is not blocked.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, December 4, 2019 10:12 PM
I think I understand what you want. I don't think that icacls can do that, but a Powershell script can. Try this out on a test folder first and see if it does what you want. Remove the -whatif to actually set the permissions.
#
# Analyze a folder structure and add a missing group to all folders that do not inherit permissions from the parent folder.
# When added the missing group with be inherited by subfolders in that that folder.
# Author: MotoX80 on MS Technet forums.
#
$group = "homeusers" # this code assumes that there will not be local and domain groups with the same name
$domain ='slick' # AD domain or use computer name for local groups
$target = 'c:\temp' # analyze this folder
$folders = Get-ChildItem -Path $target -Directory -recurse
"These folders do not inherit permissions from the parent folder."
foreach ($folder in $folders) {
$acls = Get-Acl -Path $folder.FullName
if ($acls.AreAccessRulesProtected -eq $true) { # we found a folder that does not inherit permissions.
foreach ($acl in $acls) {
$folder.FullName
$accs = $acl.Access
$apply = $true # grant access unless we find our group
foreach ($acc in $accs){
if ($acc.identityreference.tostring().split('\')[1] -eq $group) {
"Already applied."
$apply = $false # our group is already referenced, no need to reapply
}
}
if ($apply -eq $true) {
$acl_Rule = new-object System.Security.AccessControl.FileSystemAccessRule ("$domain\$group", "FullControl",”ContainerInherit,ObjectInherit”,”None”,”Allow”)
$acl.SetAccessRule($ACL_Rule)
"Updating {0}" -f $folder.FullName
Set-Acl -Path $folder.FullName -AclObject $acl -whatif # remove the -whatif to actually modify the permissions
}
}
}
}
Friday, December 6, 2019 1:58 AM
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, December 9, 2019 10:18 AM
Hi,
Thanks for posting here!
Please feel free to let us know if you need further assistance.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]