What the script Does –
Task 1 –
- It Creates Folder
- It creates a Active Directory Group Folder_R (Read Groups)
- It creates a Active Directory Group Folder_W (Write Groups)
- Notes Field Updated with Service Request
- Managed By Field is Updated with folder owner
Yo have the Groups Created.
Notes Updated in the Group
Sets the Managed By Attribute
Current Folder Permission –
Task 2 –
- Removes Root Folder Inheritance
- Remove Access of BUILTIN\Users from the Folder
- Places a Deny Permission for FolderName_W Groups so that they cannot delete the root folder.
- Add OWNER RIGHTS
- Provides Read permission on the folder for FolderName_R group.
- Provides Write permission on the folder for FolderName_W group.
Things to be updated in the Script –
- Folder Paths
Do Proper Testing. Permissions are Scary. Use it wisely with proper Knowledge to the environment.
Run it on LAB prior to be ran on production.
<# .Requires -version 2 - Runs in Exchange Management Shell .SYNOPSIS .\FileServerFolder.ps1 - Creates Folder and Applies Standard Permissions for enterprise Environment. Examples Will be added C:\Scripts> C:\Scripts\FileServerFolder.ps1 File Server - Root Folder Creator ---------------------------- 1.Create Root Folder on F:\FileServer\ 2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER Importing ActiveDirectory Module Choose The Task: 1 Enter the Root Folder Name: Folder01 Enter the Request ID: 0102 Enter the Owner of the Groups _R and _W E.g UPN Sathesh: Ashok.Magar Creating Root Folder Directory: \\FileServer\F$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 11/8/2016 2:48 PM Folder01 Creating Active Directory Groups Applying Request ID Folder01_R Applying Request ID Folder01_W C:\Scripts> C:\Scripts\FileServerFolder.ps1 File Server - Root Folder Creator ---------------------------- 1.Create Root Folder on F:\FileServer\ 2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER Importing ActiveDirectory Module Choose The Task: 2 Enter the Root Folder Name: folder01 Enter the Root Folder Name: folder01 Removing Inheritance Removing BUILTIN\Users Deny - Delete Add owner Rights Add Read Rights for _R group Add Write Rights for _W group Change Log V1.2, 11/08/2016 #> Write-host " File Server - Root Folder Creator ---------------------------- 1.Create Root Folder on F:\FileServer\ 2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER "-ForeGround "Cyan" #---------------- # Script #---------------- #Importing ActiveDirectory Module Write-Host "Importing ActiveDirectory Module" Import-Module ActiveDirectory Write-Host " " $number = Read-Host "Choose The Task" $output = @() switch ($number) { 1 { #Saving Required Variables $FolderName = Read-Host "Enter the Root Folder Name" $RequestID = Read-Host "Enter the Request ID" $Managedby = Read-Host "Enter the Owner of the Groups _R and _W E.g UPN Sathesh" $Read = "_R" $Write= "_W" #Creating Directories Write-host "Creating Root Folder" New-Item -Path \\FileServer\F$\$FolderName -type directory #Creating Active Directory Groups _R - Read _W -Write Write-host "Creating Active Directory Groups" New-ADGroup -Name "$FolderName$Read" -SamAccountName $FolderName$Read -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Read" -Path "OU=02 Groups,DC=Cloudid,DC=biz" New-ADGroup -Name "$FolderName$Write" -SamAccountName $FolderName$Write -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Write" -Path "OU=02 Groups,DC=Cloudid,DC=biz" #Applying Ticket ID in notes section Write-host "Applying Request ID $FolderName$Read" Set-ADGroup "$FolderName$Read" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby Write-host "Applying Request ID $FolderName$Write" Set-ADGroup "$FolderName$Write" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby ;Break} 2 { #Saving Required Variables $FolderName = Read-Host "Enter the Root Folder Name" $confirmFolderName = Read-Host "Enter the Root Folder Name" $path = “\\FileServer\F$\$FolderName" $Read = "_R" $Write= "_W" # Directory Name Confirmed if($FolderName -eq $confirmFolderName) { Write-host "Removing Inheritance" $acl = Get-Acl $path $acl.SetAccessRuleProtection($True, $True) Set-Acl -Path $path -AclObject $acl Write-host "Removing BUILTIN\Users" $acl01 = Get-Acl $path $rules = $acl01.access | Where-Object {$_.IdentityReference -eq "BUILTIN\Users"} ForEach($rule in $rules) { $acl01.RemoveAccessRule($rule) | Out-Null } Set-ACL -Path $path -AclObject $acl01 Write-host "Deny - Delete " $acl02 = Get-Acl $path $objUser = New-Object System.Security.Principal.NTAccount("Cloudid\$FolderName$Write") $colRights = [System.Security.AccessControl.FileSystemRights]"Delete" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType02 =[System.Security.AccessControl.AccessControlType]::Deny $objACE02 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType02) $acl02.AddAccessRule($objACE02) Set-ACL -Path $path -AclObject $acl02 Write-host "Add owner Rights" $acl03 = Get-Acl $path $objUser = New-Object System.Security.Principal.NTAccount("OWNER RIGHTS") $colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType =[System.Security.AccessControl.AccessControlType]::Allow $objACE03 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $acl03.AddAccessRule($objACE03) Set-ACL -Path $path -AclObject $acl03 Write-host "Add Read Rights for _R group" $acl04 = Get-Acl $path $objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Read") $colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType =[System.Security.AccessControl.AccessControlType]::Allow $objACE04 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $acl04.AddAccessRule($objACE04) Set-ACL -Path $path -AclObject $acl04 Write-host "Add Write Rights for _W group" $acl05 = Get-Acl $path $objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Write") $colRights05 = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType =[System.Security.AccessControl.AccessControlType]::Allow $objACE05 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights05, $InheritanceFlag, $PropagationFlag, $objType) $acl05.AddAccessRule($objACE05) Set-ACL -Path $path -AclObject $acl05 } else { Write-host "Re-enter Folder Name" } ;Break} Default {Write-Host "No matches found , Enter Options 1 or 2" -ForeGround "red"} }