When I was moving a share with some specific permissions I was reminded why you should script configurations. Documenting specific permissions configurations can be cumbersome and it is always easy to overlook a specific setting.

So, lets analyze the current configuration and create a PowerShell script to configure the new share:

TL;DR: This script creates a folder, sets the permissions, and shares it.

Analyze Current Permissions

When analyzing permissions Get-ACL is your friend.

Go to the folder you want to analyze and get the current ACL (Access Control List):

Get-ACL . | % Access

This will give you a list of several Access Rules. For example:

FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None

Based on these rules we will be able to create Access Rules to add to the ACL of our new folder.

Top

Create New Folder

Not that hard, but FYI:

$folder = New-Item -Path $folderName -ItemType Directory

Top

Set Permissions

When setting the permissions there are 2 options:

Create new ACL from scratch

Get current ACL and add/remove what you want

In this example I will be doing the latter.

First you get the ACL of your newly created folder:

$acl = Get-ACL $folder

Next we want to add extra Access Rules. These objects can be created in two different ways, In my example I use both.

Create Access Rule using New-Object Based on your analysis you can create a new System.Security.AccessControl.FileSystemAccessRule object. $acl .AddAccessRule ( ( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @ ( ( New-Object System.Security.Principal.NTAccount ( $group .Name )) , [ System.Security.AccessControl.FileSystemRights] 'CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize' , [ System.Security.AccessControl.InheritanceFlags] 'ContainerInherit, ObjectInherit' , [ System.Security.AccessControl.PropagationFlags]::None, [ System.Security.AccessControl.AccessControlType]::Allow )) ) Create Access Rule using AccessRuleFactory Sometimes when you analyze the ACL of an object you get a number as FileSystemRights . To work out what these permissions actually are, you need to look at which bits are set when you treat that number as 32 separate bits rather than as an Integer (as Integers are 32 bits long), and compare them to this diagram: http://msdn.microsoft.com/en-us/library/aa374896(v=vs.85).aspx quote from this forum post by Yan Li When you know what it does and just want to create an Access Rule that gives those specific permissions you can use the AccessRuleFactory function of an ACL. $acl .AddAccessRule ( ( $acl .AccessRuleFactory ( ( New-Object System.Security.Principal.NTAccount ( 'CREATOR OWNER' )) , 268435456, $false , 'ContainerInherit, ObjectInherit' , 'InheritOnly' , 'Allow' )) )

Once we added all Access Rules to the $acl parameter we can set the ACL of our folder.

Set-ACL -Path $folder -ACLObject $acl

Top

Share Folder

Now that the permissions are set you can share the folder. Share permissions will be set to ‘Everyone’ since the NTFS permissions will restrict access.

New-SmbShare -Name $shareName -Path $folder .FullName -FullAccess 'Everyone'

Top

Full Script

Top

Please enable JavaScript to view the comments powered by Disqus.