-
-
Save KurtDeGreeff/8030eefe7e9b87032dc42f2cca2d719a to your computer and use it in GitHub Desktop.
Managing NTFS folder security with PowerShell module NTFSSecurity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #First, show the script which directory | |
| $directory = "\\<HOST>\<Dir>\" | |
| #[Optional!] Inside the directory defined above filter for folders you want to check | |
| $folders = Get-ChildItem $Directory -Directory | Where-Object { $_.Name -like "XXXX??" } | |
| #now go through each folder in that directory | |
| foreach ($folder in $folders) | |
| { | |
| Write-Host $folder | |
| #define model AD groups you want to check your folders against | |
| $test1 = @{ Account = "<domain>\<prefix>_" + $folder + "_read" } | |
| $test2 = @{ Account = "<domain>\<prefix>_" + $folder + "_write" } | |
| $test3 = @{ Account = "BUILTIN\Administrators" } | |
| #get that folder's groups | |
| $groups = Get-NTFSAccess -Path $directory$folder | Select-Object -Property Account | |
| $counter = 0 | |
| #go through each of the folder's groups and check if they match any of those you have defined above | |
| foreach ($group in $groups) | |
| { | |
| if ($group.Account -like $test1.Account){ | |
| $counter++} | |
| elseif ($group.Account -like $test2.Account){ | |
| $counter++} | |
| elseif ($group.Account -like $test3.Account){ | |
| $counter++} | |
| else { | |
| Write-Host "Not a single match" | |
| } | |
| } | |
| #[optional] write to standard output how many groups the folder has | |
| Write-Host $counter | |
| #define what should be done according to each possible scenario | |
| #scenario 1: the folder has the admin group but is missing his two folder-specific ones | |
| if ($counter -eq 1) { | |
| Write-Host "you should add groups!" | |
| #try adding the two missing folder-specific groups | |
| try { | |
| Add-NTFSAccess -Path $directory$folder -Account $test1.Account -AccessRights ReadAndExecute -AppliesTo ThisFolderSubfoldersAndFiles | |
| Add-NTFSAccess -Path $directory$folder -Account $test2.Account -AccessRights Modify -AppliesTo ThisFolderSubfoldersAndFiles | |
| } | |
| #in case adding those folder-specific groups doesn't work you want to be notified | |
| catch { | |
| "Oops, something went wrong..." | |
| } | |
| } | |
| #scenario 2: the folder has all three groups, do nothing in that case | |
| elseif ($counter -eq 3) { | |
| Write-Host "do nothing" | |
| } | |
| #scenario 3: the folder has more or less groups, in that case a closer look is needed | |
| else { | |
| Write-Host "Something else should be done here" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment