# --------------------------------------------------------------------------------------------------- # # Microsoft PowerShell Source File # NAME: SetACL.ps1 # # AUTHOR: Adam Bell, www.leadfollowmove.com # DATE : 13/12/2006 # # PURPOSE: Apply customised ACL permissions to the filesystem (NTFS) # # COMMENT: Best viewed in Notepad2 # Sample code only. Educational purposes only. # # add-ace 13/12/2006 # replace-acl 27/12/2006 # flush-acl 28/12/2006 # # --------------------------------------------------------------------------------------------------- # Script globals and constants.. # --------------------------------------------------------------------------------------------------- function add-ace # --------------------------------------------------------------------------------------------------- { # Inputs: 1) Target Path # 2) Valid Account name # 3) ACL rights to apply. # 4) Access - Allow or Deny # Objective: 1) Add an ACL to an existing DACL on the filesystem # Returns: 1) nada. Param ( $sobject, $sAccount, $aRights, $sAccess = "allow" ) $acc = New-Object system.security.principal.ntaccount($sAccount) $sid = $acc.translate([system.security.principal.securityidentifier]) # ContainerInherit, None, ObjectInherit $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit" # InheritOnly, None, NoPropagateInherit $prop = [system.security.accesscontrol.PropagationFlags]"InheritOnly" $acl = Get-Acl $sobject $ar = New-Object system.security.AccessControl.FileSystemAccessRule($sAccount, $aRights, $inherit, $prop, $sAccess) $acl.AddAccessRule($ar) Set-Acl -aclobject $acl $sobject #[enum]::GetNames([System.Security.AccessControl.FileSystemRights]) } # --------------------------------------------------------------------------------------------------- function replace-acl # --------------------------------------------------------------------------------------------------- { # Inputs: 1) Target Path # 2) SDDL constructed DACL # Objective: 1) Replace an existing DACL with this one. # Returns: 1) nada. Param ( $sObject, $sSDDL ) $acl = Get-Acl $sObject $acl.SetSecurityDescriptorSddlForm($sSDDL) Set-Acl -aclObject $acl $sObject } # --------------------------------------------------------------------------------------------------- function flush-acl # --------------------------------------------------------------------------------------------------- { # Inputs: 1) Target Path # Objective: 1) Recursively touch each DACL, updating the Owner and POSIX group with the effect of # reseting inheritence from parent, and removing any custom ACL's. # Returns: 1) nada. Param ( $sObject ) $col = Get-ChildItem $sObject -Recurse foreach ($item in $col) { replace-acl $item.FullName "O:BAG:BAD:" } } # --------------------------------------------------------------------------------------------------- # Example calling statements: flush-acl "d:\" replace-acl "d:\" "O:BAG:BAD:AI(A;OICI;0x1301bf;;;AU)(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" add-ace "D:\test" "Administrator" "FullControl"