Sunday , February 26 2017

File Server Folder,Groups,Permissions Script

Download Script

What the script Does –

Task 1 –

  • It Creates Folder
  • It creates a Active Directory Group Folder_R  (Read Groups)
  • It creates a Active Directory Group Folder_W  (Write Groups)
  • Notes Field Updated with Service Request
  • Managed By Field is Updated with folder owner

image

Yo have the Groups Created.

image

Notes Updated in the Group

image

Sets the Managed By Attribute

image

Current Folder Permission –

image

Task 2 –

  • Removes Root Folder Inheritance
  • Remove Access of BUILTIN\Users from the Folder
  • Places a Deny Permission for FolderName_W Groups so that they cannot delete the root folder.
  • Add OWNER RIGHTS
  • Provides Read permission on the folder for FolderName_R group.
  • Provides Write permission on the folder for FolderName_W group.

image

 

image

Things to be updated in the Script –

  • Folder Paths

Do Proper Testing. Permissions are Scary. Use it wisely with proper Knowledge to the environment.

Run it on LAB prior to be ran on production.

Download Script


<#

.Requires -version 2 - Runs in Exchange Management Shell

.SYNOPSIS
.\FileServerFolder.ps1 - Creates Folder and Applies Standard Permissions for enterprise Environment.
Examples Will be added

C:\Scripts> C:\Scripts\FileServerFolder.ps1
File Server - Root Folder Creator
----------------------------

1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
Importing ActiveDirectory Module

Choose The Task: 1
Enter the Root Folder Name: Folder01
Enter the Request ID: 0102
Enter the Owner of the Groups _R and _W E.g UPN Sathesh: Ashok.Magar
Creating Root Folder
Directory: \\FileServer\F$
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         11/8/2016   2:48 PM            Folder01
Creating Active Directory Groups
Applying Request ID Folder01_R
Applying Request ID Folder01_W

C:\Scripts> C:\Scripts\FileServerFolder.ps1
File Server - Root Folder Creator
----------------------------

1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
Importing ActiveDirectory Module

Choose The Task: 2
Enter the Root Folder Name: folder01
Enter the Root Folder Name: folder01
Removing Inheritance
Removing BUILTIN\Users
Deny - Delete
Add owner Rights
Add Read Rights for _R group
Add Write Rights for _W group

Change Log
V1.2, 11/08/2016
#>

Write-host "

File Server - Root Folder Creator
----------------------------

1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER

"-ForeGround "Cyan"

#----------------
# Script
#----------------
#Importing ActiveDirectory Module
Write-Host "Importing ActiveDirectory Module"
Import-Module ActiveDirectory

Write-Host "               "

$number = Read-Host "Choose The Task"
$output = @()
switch ($number)
{

1 {
#Saving Required Variables
$FolderName = Read-Host "Enter the Root Folder Name"
$RequestID = Read-Host "Enter the Request ID"
$Managedby = Read-Host "Enter the Owner of the Groups _R and _W E.g UPN Sathesh"
$Read = "_R"
$Write= "_W"

#Creating Directories
Write-host "Creating Root Folder"
New-Item -Path \\FileServer\F$\$FolderName -type directory

#Creating Active Directory Groups _R - Read _W -Write
Write-host "Creating Active Directory Groups"
New-ADGroup -Name "$FolderName$Read" -SamAccountName $FolderName$Read -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Read" -Path "OU=02 Groups,DC=Cloudid,DC=biz"
New-ADGroup -Name "$FolderName$Write" -SamAccountName $FolderName$Write -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Write" -Path "OU=02 Groups,DC=Cloudid,DC=biz"

#Applying Ticket ID in notes section
Write-host "Applying Request ID $FolderName$Read"
Set-ADGroup "$FolderName$Read" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby
Write-host "Applying Request ID $FolderName$Write"
Set-ADGroup "$FolderName$Write" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby

;Break}

2 {

#Saving Required Variables
$FolderName = Read-Host "Enter the Root Folder Name"
$confirmFolderName = Read-Host "Enter the Root Folder Name"
$path = “\\FileServer\F$\$FolderName"
$Read = "_R"
$Write= "_W"
# Directory Name Confirmed
if($FolderName -eq $confirmFolderName)
{
Write-host "Removing Inheritance"
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
Write-host "Removing BUILTIN\Users"
$acl01 = Get-Acl $path
$rules = $acl01.access | Where-Object {$_.IdentityReference -eq "BUILTIN\Users"}
ForEach($rule in $rules)
{
$acl01.RemoveAccessRule($rule) | Out-Null
}
Set-ACL -Path $path -AclObject $acl01
Write-host "Deny - Delete "
$acl02 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("Cloudid\$FolderName$Write")
$colRights = [System.Security.AccessControl.FileSystemRights]"Delete"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType02 =[System.Security.AccessControl.AccessControlType]::Deny
$objACE02 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType02)
$acl02.AddAccessRule($objACE02)
Set-ACL -Path $path -AclObject $acl02
Write-host "Add owner Rights"
$acl03 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("OWNER RIGHTS")
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE03 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$acl03.AddAccessRule($objACE03)
Set-ACL -Path $path -AclObject $acl03
Write-host "Add Read Rights for _R group"
$acl04 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Read")
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE04 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$acl04.AddAccessRule($objACE04)
Set-ACL -Path $path -AclObject $acl04
Write-host "Add Write Rights for _W group"
$acl05 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Write")
$colRights05 = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE05 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights05, $InheritanceFlag, $PropagationFlag, $objType)
$acl05.AddAccessRule($objACE05)
Set-ACL -Path $path -AclObject $acl05
}
else
{
Write-host "Re-enter Folder Name"
}

;Break}

Default {Write-Host "No matches found , Enter Options 1 or 2" -ForeGround "red"}

}

Download Script

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

Outlook Cannot Logon System resources are critically Low

Microsoft Outlook 2016. Outlook Cannot Log on. Verify you are connected to the network and ...

Leave a Reply

Your email address will not be published.