Reset file/folder permissions & Set new permissions

Question

Trying to use powershell to reset permissions on files/folders copied over from a Linux machine.

Structure looks similar to this

E:\Parent Folder - No inheritance - Group based permissions
    |
    |
    Folder01 - No inheritance
           |
           |
           Subfolders and file - Group based permissions, inheritance
    Folder02 - No inheritance
           |
           |
           Subfolders and file - Group based permissions, inheritance
    Folder03 - No inheritance
           |
           |
           Subfolders and file - Group based permissions, inheritance
    Folder04 - No inheritance
           |
           |
           User Folder - User based permissions, No Inheritance
                     |
                     |
                     Inheritance

The script currently first runs the takeown command, followed by the icacls. I then loop through the first level of folders to disable the inheritance. Then the permissions are applied to the folders.

Here is a sample of what I have. It just repeats itself for each specific permission I want to set.

    Get-ChildItem -Path "$solidPath" -ErrorAction SilentlyContinue | ForEach-Object {
  $Item = $_.FullName

  If ( "$Item" -eq "E:\ParentFolder\Folder04" -or "$Item" -eq "E:\ParentFolder\Folder03" )
  {
    Write-Host "Do Not Touch" -ForegroundColor DarkRed
  }
  Else
  {
    $colRightsAdmin = [System.Security.AccessControl.FileSystemRights]"FullControl"

    $InheritanceFlagAdmin = [System.Security.AccessControl.InheritanceFlags]::ContainerInHerit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInHerit
    $PropagationFlagAdmin = [System.Security.AccessControl.PropagationFlags]::None

    $objTypeAdmin = [System.Security.AccessControl.AccessControlType]::Allow

    $objUserAdmin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")

    $objACEAdmin = New-Object System.Security.AccessControl.FileSystemAccessRule($objUserAdmin, $colRightsAdmin, $objTypeAdmin)

    $objACLAdmin = Get-ACL "$Item"
    $objACLAdmin.AddAccessRule($objACEAdmin)

    Set-ACL "$Item" $objACLAdmin

I am using takeown + icacls to try and reset all the permissions. This initially worked well because the inheritance flags get reset as well.

I then use the method described in the link to set the appropriate permissions and inheritance on my folders and let the inheritance do the rest - Powershell & .net

The script worked on my test directory structure. But after coping the folders and files over I am getting a permission denied message when the icacls command runs (the takeown command runs without issue). The rest of the script then fails.

I know that I can use the RemoveAccessRule($objACE) to remove permissions from objects, but I haven't been able to figure out how to do it for all the user permissions that are defined.

I would like to start the folders and files off with a clean slate, and then apply permissions. All the examples I have found only show how to remove permissions for a specific user.

Where am I going wrong with the initial permission cleanup?

Answer 1

I ended up going with a bit of messy solution.

After I had a synced copy of the data from the Linux server I used robocopy to "move" all the data from one folder to another. This completely reset all the permissions on all the files.

After having done that I learned a little bit more about setting permissions and realized that I had been making a mistake all along.

I was aimlessly using this object to remove permissions

$acl.RemoveAccessRule($ace) | Out-Null

This was actually removing all privilege on the file before I had a chance to set any other permissions. So I was removing my ability to adjust permissions.

Once I realized this I used a combination of the properties IdentityReference and IsInherited to selectively target which permissions I was going to remove.

The script is big and ugly, but seems to work.