Add security group to folder and subfolders, without using inheritance

T

TheSmJ

2[H]4U
Joined
Dec 20, 2006
Messages
2,749
Here at work, we have a folder share which contains user data. The parent "Users" share is visible to everyone and anyone can list the contents of the folder. However, each subfolder has specific permissions so that only the user in question can view the contents of all folders within. I need to add a security group to all of these folders with full access rights, without changing the individualized security settings of each subfolder to that of the parent folder.

At first I was messing around with a powershell scripts. However, all the scripts I can find rely on inheritance of the sub folders to be enabled, which is neither possible nor desirable.

Has anyone found a solution to this problem? I know I'm not the only one but I'm not having much luck finding a solution on Google.
 
Your in for a world of a mess. There is not an actual easy way to do this AFTER the fact.

Is this for home folders or folder redirection?

If its folder redirection, the cleanest way to do this is move it to a new location with the proper permissions setup at the root share.
 
You can do this with powershell, but as K1pp3r said, it's a big mess. It may seem like a good idea at first, but it's quickly going to get unmanageable.

With powershell, you can get the root folder and loop through each sub folder and add an entry to the access list. Not a pretty solution, but not a difficult one, either.
 
k1pp3r said:
Is this for home folders or folder redirection?

If its folder redirection, the cleanest way to do this is move it to a new location with the proper permissions setup at the root share.
Click to expand...

Folder redirection. Moving them now would break a lot of other things, so that's not really possible.

Demon10000 said:
With powershell, you can get the root folder and loop through each sub folder and add an entry to the access list. Not a pretty solution, but not a difficult one, either.
Click to expand...

I've been trying to find a way to do just that. Problem is, my PS skills are weak at best. It would almost be faster for me to do it all manually. Almost.

I'm hoping someone already has a script written up that can do something like this with a few tweaks here and there. Or at least an idea of what commands to use.
 
I believe you can GCI recursive to gather a listing of containers and store them to a variable and then use a for each statement to run CACLS against it adding in the group without replacing existing permissions.

the CACLS command syntax is like the example below

cacls "N:\Users\Foldername1\subfolder" /e /t /c /g "notarat.pipsqueak":f

That CACLS command above is used to edit the in-place permissions, rather than re-create them
 
TheSmJ said:
I'm hoping someone already has a script written up that can do something like this with a few tweaks here and there. Or at least an idea of what commands to use.
Click to expand...

Start off by creating an access rule. Do some googling (or look at existing access rules) to get the permissions right.

Code: 
$aclRule= New-Object System.Security.AccessControl.FileSystemAccessRule("$($domain)\$($adGroupProd)","Modify, Synchronize", "ContainerInherit, ObjectInherit", "None", "Allow")

Now get the ACL of a folder ---
Code: 
$acl=get-acl $folder

Once you have a reference to the access list, add the acl to the access list.
Code: 
$acl.SetAccessRule($aclRule)

We've added it, but thats just to our reference. Now we need to set it.

Code: 
$acl | set-acl $folder



Put that between a loop and you should be good.
 
You must log in or register to reply here.
Back
Top