Windows ACL with PowerShell
During automatic deployments I bumped in to the issue that special account permissions need to be set. For example if we deploy an CMS system there can be an upload folder included where the user need to write. Rather then giving full permissions for the web server user account we set specific permission on the upload folder. In this blog post I will show how to do this with PowerShell on Windows Server 2008 R2 and higher.
After research for the PowerShell scripts I found this documentation from Microsoft : https://technet.microsoft.com/library/hh849810.aspx . Microsoft Technet explain how to use the Get-Acl and Set-Acl commands in PowerShell. Set-Acl works with the object from Get-Acl.
Create ACL PowerShell object
To set the permission we want we create an PowerShell security access control file object with the proper settings, this is an example for a Directory:
$objAcl = New-Object system.security.accesscontrol.filesystemaccessrule("User","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
To give permission on a file we need to remove the ‘inherit’ flags;
$objAcl = New-Object system.security.accesscontrol.filesystemaccessrule("User","FullControl", "None", "None", "Allow")
In this new object we set 5 options, here in order from left to right:
- Principal NT Account
- Permissions (Full Control, Write, Read etc)
- Inheritance flag
- Propagation flag
- Access Control Type (Allow, Deny)
Example folder permission script
Now we know how to set the object we add this to the complete script. Make sure you retrieve the current ACL first and add the new rule next to it. Below the example will add Full Control permissions for User on the C:\TEMP folder:
$dir = "C:\TEMP" $Acl = Get-Acl $dir $objAcl = New-Object system.security.accesscontrol.filesystemaccessrule("User","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $Acl.SetAccessRule($objAcl ) Set-Acl $dir $Acl
Executing the script will add this new permission to the existing ACL rules. Nothing will be removed or replaced.
Using this script under Windows Server 2012 R2 and Windows Server 2008 R2 wasn’t any problem. I didn’t test this on other version of Windows.
Another nice link that explains all options can be found here : https://technet.microsoft.com/en-us/library/ff730951.aspx