Monday , November 20 2017

File Server Folder,Groups,Permissions Script

Download Script

What the script Does –

Task 1 –

  • It Creates Folder
  • It creates a Active Directory Group Folder_R  (Read Groups)
  • It creates a Active Directory Group Folder_W  (Write Groups)
  • Notes Field Updated with Service Request
  • Managed By Field is Updated with folder owner

image

Yo have the Groups Created.

image

Notes Updated in the Group

image

Sets the Managed By Attribute

image

Current Folder Permission –

image

Task 2 –

  • Removes Root Folder Inheritance
  • Remove Access of BUILTIN\Users from the Folder
  • Places a Deny Permission for FolderName_W Groups so that they cannot delete the root folder.
  • Add OWNER RIGHTS
  • Provides Read permission on the folder for FolderName_R group.
  • Provides Write permission on the folder for FolderName_W group.

image

 

image

Things to be updated in the Script –

  • Folder Paths

Do Proper Testing. Permissions are Scary. Use it wisely with proper Knowledge to the environment.

Run it on LAB prior to be ran on production.

Download Script


<#

.Requires -version 2 - Runs in Exchange Management Shell

.SYNOPSIS
.\FileServerFolder.ps1 - Creates Folder and Applies Standard Permissions for enterprise Environment.
Examples Will be added

C:\Scripts> C:\Scripts\FileServerFolder.ps1
File Server - Root Folder Creator
----------------------------

1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
Importing ActiveDirectory Module

Choose The Task: 1
Enter the Root Folder Name: Folder01
Enter the Request ID: 0102
Enter the Owner of the Groups _R and _W E.g UPN Sathesh: Ashok.Magar
Creating Root Folder
Directory: \\FileServer\F$
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         11/8/2016   2:48 PM            Folder01
Creating Active Directory Groups
Applying Request ID Folder01_R
Applying Request ID Folder01_W

C:\Scripts> C:\Scripts\FileServerFolder.ps1
File Server - Root Folder Creator
----------------------------

1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
Importing ActiveDirectory Module

Choose The Task: 2
Enter the Root Folder Name: folder01
Enter the Root Folder Name: folder01
Removing Inheritance
Removing BUILTIN\Users
Deny - Delete
Add owner Rights
Add Read Rights for _R group
Add Write Rights for _W group

Change Log
V1.2, 11/08/2016
#>

Write-host "

File Server - Root Folder Creator
----------------------------

1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER

"-ForeGround "Cyan"

#----------------
# Script
#----------------
#Importing ActiveDirectory Module
Write-Host "Importing ActiveDirectory Module"
Import-Module ActiveDirectory

Write-Host "               "

$number = Read-Host "Choose The Task"
$output = @()
switch ($number)
{

1 {
#Saving Required Variables
$FolderName = Read-Host "Enter the Root Folder Name"
$RequestID = Read-Host "Enter the Request ID"
$Managedby = Read-Host "Enter the Owner of the Groups _R and _W E.g UPN Sathesh"
$Read = "_R"
$Write= "_W"

#Creating Directories
Write-host "Creating Root Folder"
New-Item -Path \\FileServer\F$\$FolderName -type directory

#Creating Active Directory Groups _R - Read _W -Write
Write-host "Creating Active Directory Groups"
New-ADGroup -Name "$FolderName$Read" -SamAccountName $FolderName$Read -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Read" -Path "OU=02 Groups,DC=Cloudid,DC=biz"
New-ADGroup -Name "$FolderName$Write" -SamAccountName $FolderName$Write -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Write" -Path "OU=02 Groups,DC=Cloudid,DC=biz"

#Applying Ticket ID in notes section
Write-host "Applying Request ID $FolderName$Read"
Set-ADGroup "$FolderName$Read" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby
Write-host "Applying Request ID $FolderName$Write"
Set-ADGroup "$FolderName$Write" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby

;Break}

2 {

#Saving Required Variables
$FolderName = Read-Host "Enter the Root Folder Name"
$confirmFolderName = Read-Host "Enter the Root Folder Name"
$path = “\\FileServer\F$\$FolderName"
$Read = "_R"
$Write= "_W"
# Directory Name Confirmed
if($FolderName -eq $confirmFolderName)
{
Write-host "Removing Inheritance"
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
Write-host "Removing BUILTIN\Users"
$acl01 = Get-Acl $path
$rules = $acl01.access | Where-Object {$_.IdentityReference -eq "BUILTIN\Users"}
ForEach($rule in $rules)
{
$acl01.RemoveAccessRule($rule) | Out-Null
}
Set-ACL -Path $path -AclObject $acl01
Write-host "Deny - Delete "
$acl02 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("Cloudid\$FolderName$Write")
$colRights = [System.Security.AccessControl.FileSystemRights]"Delete"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType02 =[System.Security.AccessControl.AccessControlType]::Deny
$objACE02 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType02)
$acl02.AddAccessRule($objACE02)
Set-ACL -Path $path -AclObject $acl02
Write-host "Add owner Rights"
$acl03 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("OWNER RIGHTS")
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE03 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$acl03.AddAccessRule($objACE03)
Set-ACL -Path $path -AclObject $acl03
Write-host "Add Read Rights for _R group"
$acl04 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Read")
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE04 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$acl04.AddAccessRule($objACE04)
Set-ACL -Path $path -AclObject $acl04
Write-host "Add Write Rights for _W group"
$acl05 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Write")
$colRights05 = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE05 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights05, $InheritanceFlag, $PropagationFlag, $objType)
$acl05.AddAccessRule($objACE05)
Set-ACL -Path $path -AclObject $acl05
}
else
{
Write-host "Re-enter Folder Name"
}

;Break}

Default {Write-Host "No matches found , Enter Options 1 or 2" -ForeGround "red"}

}

Download Script

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

The Maximum Size of an object has been exceeded

Active Directory Servers – Error Issuing Replication : 8304 (0x2070): The Maximum Size of an ...

Leave a Reply

Your email address will not be published.