Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Lane

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 10
Reply with quote  #1 

Hello all!

 I have a client that stores data on a network share in a manufacturing facility. The folder structure is such that each customer folder contains multiple part folders. Inside of these part folders is an 'operators' and an 'outdated' folder. The operators are supposed to use the files inside the 'operators' folder as it contains the approved assemblies. However, operators are occasionally using the data from 'outdated' folders and creating outdated parts. I am trying to write a PowerShell script that will parse the file structure, find the nested 'outdated' folder and remove all permissions from the operators. This will hopefully, keep them from using the outdated files.

 Shared Folders

                Documents

                                Customer1

                                                Part1

                                                                Operators

                                                                Outdated

                                                Part2    

                                                                Operators

                                                                Outdated

                                Customer2

                                                Part1

                                                                Operators

                                                                Outdated

                                                Part2    

                                                                Operators

                                                                Outdated

                                Customer3

                                                Part1

                                                                Operators

                                                                Outdated

                                                Part2    

                                                                Operators

                                                                Outdated

 I am familiar with the Powershell ICACLS commands to remove inheritance and grant permissions, then reissue permissions and that works fine for a single folder. However, there are literally hundereds of customers and thousands of parts. How does one recursively search for the 'outdated' folder nested in the various 'parts' folders which are nested in the various customer folders? I was hoping it was as easy  as using the path "D:\Shared Folders\Documents\*\*\outdated", but alas, such is not the case. Could someone give me a push in the right direction?

 

Thanks for any replies.

0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 301
Reply with quote  #2 
Not sure if I understand what you are trying to achive, but I often use this technique :

1. Dir outdated /s /b /a > file.txt
2. Open file.txt in Excel
3. Use excel to format a correct syntax with icacls.exe
4. Copy that syntax for al the lines in the Excel file
5. Now copy all the lines in Notepad and save it as a CMD file

I use to call this a semi-automatic technique.

__________________
Pieter Demeulemeester
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 431
Reply with quote  #3 
Getting the folders:

(Get-Childitem "F:\Shared Folders\Documents" -Recurse -Filter "outdated" -Directory).FullName


So if you insist on using ICACLS.EXE for the task, try


(Get-Childitem "F:\Shared Folders\Documents" -Recurse -Filter "outdated" -Directory).FullName | foreach { icacls.exe $_ /remove:g <SID of Operators>}


There is a PowerShell / .NET way of editing the ACL but for this task I would probably go with icacls as well.

__________________
Evgenij Smirnov

MVP Cloud & Datacenter Management
My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Lane

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 10
Reply with quote  #4 
Thanks for the replies! I ended up using CMD as opposed to Powershell as it was easier; at least it seemed to behave better. User error I am sure. I did, however, pull the folder paths using Powershell...


$foldername = "Outdated"
gci -path E:\SharedFolders\PublicDocuments\Customers -filter $foldername -recurse | Select-Object -expand Fullname


Then, using Pieter's suggestion, copied it into excel, created my icacls statements, and saved it as a cmd file. Prior to running it, I contacted the client to make sure this was what he wanted and of course he changed things 'a little'. Now he wants removal of permissions to everything except the operators folder with traversal rights to access it. So, I recreated my scripts and am ready to do deploy again. However, while doing some testing, I noticed some odd behaviors.  I have no issues reassigning permissions to folders but some files will not accept new permissions. I get a 'successfully processed' message, but the permissions do not change. Do I need to do something different to apply permissions directly to a file? Thanks for any assistance you can offer.


icacls "e:\SharedFolders\PublicDocuments\Customers\CustomerName\Coaster.mcx-9"  /inheritance:r  /grant:r "Office":(OI)(CI)F  /grant:r "Administrator":(OI)(CI)F /grant:r "Administrators":(OI)(CI)F  /grant:r "Design":(OI)(CI)F /T


Thanks, 

Lane
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 301
Reply with quote  #5 
You did run your script in a elevated cmd ?
__________________
Pieter Demeulemeester
0
Lane

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 10
Reply with quote  #6 
Yes sir. I am rebooting the server this morning to see if that will clear out any unwanted 1's and 0's. Then I will test it again.

Thanks,
0
Lane

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 10
Reply with quote  #7 
Hello All,

I realize that it looks like I abandoned this post, but I have been busy with other things and have not had time to revisit this issue. However, things seem to be slowing down at the moment so its time to circle back around.  

I rebooted the server and tried running the commands again from an elevated prompt and what I observed was was that the folders accepted the correct permissions but the files inside those folders had no permissions at all.  Completely blank. I tried setting permissions on a single file using the following code:

icacls "e:\SharedFolders\PublicDocuments\Customers\CustomerName\Coaster.mcx-9"  /inheritance:r  /grant:"Office":(OI)(CI)F  /grant:"Administrator":(OI)(CI)/grant:"Administrators":(OI)(CI)F  /grant:"Design":(OI)(CI)F /T

This did not have any effect. If I dissect the command, the file Coaster.mcx-9 should have inheritance removed and then grant the groups 'Office', 'Administrator', 'Administrators', and 'Design' the appropriate permissions. Am I missing something? 

Thanks for any suggestions.


Lane

0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.