With Set-Acl (Access Control List) you can actually change permissions on
files or folders, thus adjust who can see sensitive information. If
you are new to this cmdlet I recommend that you start with the safer, easier
Get-Acl before you risk creating a
rogue script which locks you out of important areas of the file system.
The Set-Acl cmdlet changes the security descriptor of a file, to
match the values in a security descriptor that you supply. You can
also employ Set-Acl for amending folder or registry permissions.
The best technique that I have found is to use Get-Acl to do the
fetching and Set-Acl to do the applying new permissions.
For safety reasons it's better to create a test folder and copy a
few unimportant files, rather than risk a novice script running amok
on important data files.
Note 1: The reason that I used the variable
$Source and $Destination is to remind you to change the values of
these paths before
running this script on your machine.
Note 2: If you are in anyway uncertain what will
happen, remember the -confirm and -whatIf parameters, they are made for
situation like this - learning something new which could cripple your
machine.
Challenge: Use the Windows Explorer to see the
actual files, and also use the Advanced button on the property sheet to
change permissions on the source file, then run the above example script
again.
This is just to check that the script really is copying the permissions
from one file to the other.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Checking the help file will reveal useful parameters, for instance the
-force switch maybe useful for your task. In addition to the file
system you can also use Set-Acl to change permissions on registry keys.
Background Research
In addition to pure PowerShell Set-Acl research I strongly recommend
that open Windows Explorer and look at not only the location of the
files, but also at the permissions.
If you right-click any file or folder, select properties and check the
permissions. For further detail click Edit, see screenshot to the right.
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click to import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in this free download, and all 3 have been approved by Microsoft:
# PowerShell Content Cmdlet Research Clear-Host
Get-Command -noun Acl
This reveals the sister command Get-Acl. Incidentally, many of
PowerShell's Get verbs also have a 'Set' companion cmdlet.
Summary of PowerShell's Set-Acl
Set-Acl is rather different from the mainstream PowerShell cmdlets, it's
designed to modify the access control list of a file, to match the
values you supply through the sister command Get-Acl. You can also
employ Set-Acl for amending folder or registry permissions.
If you like this page then please share it with your friends
Please email me if you have a example scripts. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, Solarwinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
