What the script Does –
Task 1 –
- It Creates Folder
- It creates a Active Directory Group Folder_R (Read Groups)
- It creates a Active Directory Group Folder_W (Write Groups)
- Notes Field Updated with Service Request
- Managed By Field is Updated with folder owner
Yo have the Groups Created.
Notes Updated in the Group
Sets the Managed By Attribute
Current Folder Permission –
Task 2 –
- Removes Root Folder Inheritance
- Remove Access of BUILTIN\Users from the Folder
- Places a Deny Permission for FolderName_W Groups so that they cannot delete the root folder.
- Add OWNER RIGHTS
- Provides Read permission on the folder for FolderName_R group.
- Provides Write permission on the folder for FolderName_W group.
Things to be updated in the Script –
- Folder Paths
Do Proper Testing. Permissions are Scary. Use it wisely with proper Knowledge to the environment.
Run it on LAB prior to be ran on production.
<#
.Requires -version 2 - Runs in Exchange Management Shell
.SYNOPSIS
.\FileServerFolder.ps1 - Creates Folder and Applies Standard Permissions for enterprise Environment.
Examples Will be added
C:\Scripts> C:\Scripts\FileServerFolder.ps1
File Server - Root Folder Creator
----------------------------
1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
Importing ActiveDirectory Module
Choose The Task: 1
Enter the Root Folder Name: Folder01
Enter the Request ID: 0102
Enter the Owner of the Groups _R and _W E.g UPN Sathesh: Ashok.Magar
Creating Root Folder
Directory: \\FileServer\F$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 11/8/2016 2:48 PM Folder01
Creating Active Directory Groups
Applying Request ID Folder01_R
Applying Request ID Folder01_W
C:\Scripts> C:\Scripts\FileServerFolder.ps1
File Server - Root Folder Creator
----------------------------
1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
Importing ActiveDirectory Module
Choose The Task: 2
Enter the Root Folder Name: folder01
Enter the Root Folder Name: folder01
Removing Inheritance
Removing BUILTIN\Users
Deny - Delete
Add owner Rights
Add Read Rights for _R group
Add Write Rights for _W group
Change Log
V1.2, 11/08/2016
#>
Write-host "
File Server - Root Folder Creator
----------------------------
1.Create Root Folder on F:\FileServer\
2.Apply Permissions on F:\FileServer\SPECIFIC_FOLDER
"-ForeGround "Cyan"
#----------------
# Script
#----------------
#Importing ActiveDirectory Module
Write-Host "Importing ActiveDirectory Module"
Import-Module ActiveDirectory
Write-Host " "
$number = Read-Host "Choose The Task"
$output = @()
switch ($number)
{
1 {
#Saving Required Variables
$FolderName = Read-Host "Enter the Root Folder Name"
$RequestID = Read-Host "Enter the Request ID"
$Managedby = Read-Host "Enter the Owner of the Groups _R and _W E.g UPN Sathesh"
$Read = "_R"
$Write= "_W"
#Creating Directories
Write-host "Creating Root Folder"
New-Item -Path \\FileServer\F$\$FolderName -type directory
#Creating Active Directory Groups _R - Read _W -Write
Write-host "Creating Active Directory Groups"
New-ADGroup -Name "$FolderName$Read" -SamAccountName $FolderName$Read -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Read" -Path "OU=02 Groups,DC=Cloudid,DC=biz"
New-ADGroup -Name "$FolderName$Write" -SamAccountName $FolderName$Write -GroupCategory Security -GroupScope Global -DisplayName "$FolderName$Write" -Path "OU=02 Groups,DC=Cloudid,DC=biz"
#Applying Ticket ID in notes section
Write-host "Applying Request ID $FolderName$Read"
Set-ADGroup "$FolderName$Read" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby
Write-host "Applying Request ID $FolderName$Write"
Set-ADGroup "$FolderName$Write" -replace @{info="Request ID : $RequestID"} -Managedby $Managedby
;Break}
2 {
#Saving Required Variables
$FolderName = Read-Host "Enter the Root Folder Name"
$confirmFolderName = Read-Host "Enter the Root Folder Name"
$path = “\\FileServer\F$\$FolderName"
$Read = "_R"
$Write= "_W"
# Directory Name Confirmed
if($FolderName -eq $confirmFolderName)
{
Write-host "Removing Inheritance"
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl
Write-host "Removing BUILTIN\Users"
$acl01 = Get-Acl $path
$rules = $acl01.access | Where-Object {$_.IdentityReference -eq "BUILTIN\Users"}
ForEach($rule in $rules)
{
$acl01.RemoveAccessRule($rule) | Out-Null
}
Set-ACL -Path $path -AclObject $acl01
Write-host "Deny - Delete "
$acl02 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("Cloudid\$FolderName$Write")
$colRights = [System.Security.AccessControl.FileSystemRights]"Delete"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType02 =[System.Security.AccessControl.AccessControlType]::Deny
$objACE02 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType02)
$acl02.AddAccessRule($objACE02)
Set-ACL -Path $path -AclObject $acl02
Write-host "Add owner Rights"
$acl03 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("OWNER RIGHTS")
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE03 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$acl03.AddAccessRule($objACE03)
Set-ACL -Path $path -AclObject $acl03
Write-host "Add Read Rights for _R group"
$acl04 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Read")
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE04 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$acl04.AddAccessRule($objACE04)
Set-ACL -Path $path -AclObject $acl04
Write-host "Add Write Rights for _W group"
$acl05 = Get-Acl $path
$objUser = New-Object System.Security.Principal.NTAccount("CLOUDID\$FolderName$Write")
$colRights05 = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objACE05 = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights05, $InheritanceFlag, $PropagationFlag, $objType)
$acl05.AddAccessRule($objACE05)
Set-ACL -Path $path -AclObject $acl05
}
else
{
Write-host "Re-enter Folder Name"
}
;Break}
Default {Write-Host "No matches found , Enter Options 1 or 2" -ForeGround "red"}
}
It creates a Active Directory Group Folder_W (Write Groups)Notes Field Updated with Service RequestManaged By Field is Updated with folder owner){kind=link}