File and folder permissions for specific AD groups

Having a special folder over multiple servers that certain user groups can access with specific permissions I'd like to audit the security mappings using get-acl commandlet. It's easy for a single folder but I would need subfolders and files too. I know
I can assign a variable say $object = dir c:\MyShare -recurse and then would need to somehow pipe each object to get-acl and filter for the AD groups I'm interested in. Ideally if the results were then passed on to csv. Can someone help with getting
this to work?
yaro

Hi Yaro,
I checked your script, and found you haven't defined the variable $folder before use, please refer to the script below:
$folders = dir D:\TEST1 -recurse | where {$_.psiscontainer -eq $true}
foreach($folder IN $folders){
$folder|Get-Acl | Select-Object -ExpandProperty Access | where {$_.identityreference -match "sys|Adm"}
Get-Acl $folder.fullname | Select-Object -ExpandProperty Access | where {$_.identityreference -match "sys|Adm"} |
Select-Object @{n="object";e={ $folder.fullname }},
@{n="security_principal";e={ $_.identityreference }},
@{n="type";e={ $_.accesscontroltype }},
@{n="rights";e={ $_.filesystemrights }}
And to list the nested groups on local computer, please check this function writed by Boe Prox, which will also list the property "isGroup":
Get-LocalGroupMembership
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Similar Messages

File and folder permissions for Adobe Photoshop CS5

Good day,
I am an IT specialist and I work for a Canadian governement agency and we are having an issue with Photoshop CS5. After successfully installing Photoshop CS5 from the Adobe Creative Suite 5 Design Premium set(using a local machine administrator account), Photoshop crashes immidiatly after launching it(even with the local administrator account). The exact error message is as follows:
The instruction at "0x230dad8dc" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program
I know this is an environement issue and not an application or hardware issue since I was able to successfully install and run Adobe Photoshop CS5 on a plain vanilla install of Windows SP3 XP on the same model of workstation(HP DC7800). This later also confirms it is not a RAM or video adapter issue either. My experience tells me it would be more related to file/folder permissions on the workstation(although I'm open to other suggestions). Because we are a governement agency, our workstations have machine and user policies and desktop configurations that get applied to the workstations automatically upon joining our domain via GPOs and SMS. Certain system files and folder permissions may be locked down for security reasons therefor I was wondering is someone has a list of files and folders that Adobe CS5 needs access to upon startup in order to properly function?
If anyone would like more details or information please let me know and I'll try to be more specific.
Thanks in advance to all who take the time to read and help out!

I appreciate that you're trying to surmise what's different, and it's good that you have had success with similar/identical hardware. At least you know it can work.
However, I wouldn't bet just yet that it's a permissions issue. I'd think you should get a specific error if a locked-down file needed to be accessed, not a null pointer crash. The Photoshop installer should be setting up the proper permissions on its own files for it to run.
Is it exactly the same video card as the other computer, on which Photoshop works?
Are you sure the video drivers are up to date with the same version as on the other computer?
At exactly what point during startup does the failure occur (i.e., is the splash screen showing, and what does the status line in the splash screen say it's doing)?
-Noel

QTSS file and folder permissions

I am having a lot of problems getting QTSS and QTSS Publisher working correctly. I think this may be due to file and folder permissions. Does anyone know what the correct ownership and access settings should be for the folders containing my quicktime files?
Thanks.

Try setting the ownership and permissions of those files to the ones mentioned on the end of this page, which are: owner: qtss, group: admin, permissions for owner and group: Read & Write, and Read only for others.
(13414)

Default File and Folder Permissions

Hello everyone,
Is there anyway to set a default file/folder permissions for a parent folder and then if any new files or folders get created within that folder that files use 0644 and folder use 0755? I'm running MAMP for a localhost test site to run Joomla CMS, I have the parent folder set to 0755 but when ever I install a new extension in to Joomla the files are not writable. Is there a way I can set the main parant plublic_html / www folder to work like this for new child files and folders?
Thanks guys.

Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.
Feedback

Power shell script to list all files and folder permissions recursively

Hi All,
I am looking for a powershell script to perform the following operations.
1) To list the folder and file permissions(Allow,Deny both) recursively in a given folder.
2) List out all the files and folders which are having the deny permission or having only the read access (or) only the write access. Basically the folder should have Read,Execute,Write permissions. Else we have to flag that file/folder name.
I had written a batch script for the same which does this task using icacls.exe output, but this script takes lot of time to recursively parse all the files ( ~1 lakh files).
Please help me with the powershell script for the same.
Thanks
Sambasiva

Try this module: http://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
After importing the module, you can run something like this:
dir c:\folder -recurse | Get-AccessControlEntry
That output can be exported to a CSV for later viewing. You can also provide some parameters to Get-AccessControlEntry to limit the results:
dir c:\folder -recurse | Get-AccessControlEntry -FileRights Write
dir c:\folder -recurse | Get-AccessControlEntry -AceType AccessDenied
dir c:\folder -recurse | Get-AccessControlEntry -AceType AccessAllowed -FileRights Write

Upgraded to Mavericks and now I can't compress files, move files, preview files or open files outside of their native application. Ran disk utilities multiple times and checked file and folder permissions. Any ideas?

For example, I'm trying ot move a group of jpgs from one folder ot another and it throws an 8058 error every time. PSD's won't open fromt he finder, it throws an application not found error even though I can open the same files from within the application.

Yep, same here. Cannot drag and drop copy with Mavericks. A copy paste throws a 8058 error.

File and folder permissions

I just updated to Snow Leopard and created a new account. I moved my files to the new account and many but not all now require permission to do anything. I know how to change a file but the option to unlock, change a permission and "apply to enclosed items" is working for only enclosed folders but enclosed files. In the past I've sent files to my co-workers and self at work and worked with them with no problem. Now I can't use them on the same computer. What a pain. Please advise.
Thanks

I made a new account the normal way in System Prefs - Accounts then moved the files to a folder in the HD root directory. That was easy and many but not all files are problematic

How do I Get File and Folder Permissions using VBscript?

I need a mechanism in Vbscript that will allow me to get a file's or a bunch of files permission in a folder. for example: lets say I have a file named something.dll now i need to retrieve what kind of permission it has i.e. Read, Write, Read & Execute,
Modify or Full Control. Any kind of help will be appreciated. Thanks in Advance.

Have you tried this > AssistiveWare - How can I prevent apps from being deleted?
Unfortunatley, restrictions may be the only way to prevent the app from being deleted

Mac Mini Sever - Public Share - how enable read and write permissions for new remote files

Hi,
this Sunday a friend ask me to help hum with a problem on is Man Mini Server. He has a small office and uses the mini server to share a public folder to all his employees.
Everyone that creates a file, saves it to the public folder at the mini mac.
That problem is that, who creates the file owns it and remains with read-only permissions to everyone else. The owner has to change the file permission in order to the rest of the employees can work on it.
I do not know mac arquitecture, I only work with windows and linux, but i suspect the principles are the same.
We try to create another folder , and share it, but it happens the same. Have you any ideas on what is wrong?
I suspect it has anything to do with de file Sharing at the mini mac, but it has read and write permissions for everyone.
Thanks for your help.

signed applet. You aren't going to find any easy way to distribute that policy file to users, and that policy file, if you asked me to put it on my PC, I'd tell you to take a flying leap. That would open any applet to access.

File and folder sharing and permissions.

Many times when we copy files or folders to another mac computer, their permissions change, and many times the new user can not open it, until the file or folder permissions are changed. It start happen with MacOX 10.5, and still is happening with 10.7, with 10.5 we were waiting for the patch, but it never arrived, then I think is not a mistake for apple software developers??. But how can I solve this issue? the people need to interchage files and folders by USB, or network, and need to work as soon as possible with that materials and not loose time changing permissions. Someone knows what can I do to solve it?

Did you log out of one account and into the other or just used Fast user switching?
Is the permissions set to anyone?
When you move data to teh Shared folder is it copied or just moved?
If copied then it's not a folder both can access, just a way station like a USB thumb drive that things are coped too and off of likely.
You can run this #5 on each user account to reset the user permissions once they are taken back out of the Shared folder
Step by Step to fix your Mac

Solved - How to take ownership and change permissions for blocked files and folders in Powershell

Hello,
I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
I was not able to find any information about someone successfully using native PS to resolve the issue. As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
Problem:
Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
PS C:\> Get-Acl -path F:\testpath\locked
Get-Acl : Attempted to perform an unauthorized operation.
+ get-acl <<<< -path F:\testpath\locked
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
If you create a new ACL and attempt to apply it using Set-Acl, you get:
PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:8
+ Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
+ CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
Tony

Hello,
Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
Example: Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
#Script to Reset MyDocuments Folder permissions
$domainName = ([ADSI]'').name
Import-Module "PSCX" -ErrorAction Stop
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
#Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$Directorypath = "F:\Userpath" #locked user folders exist under here
$LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
Foreach ($Locked in $LockedDirs) {
Write-Host "Resetting Permissions for "$Locked.Fullname
#######Take Ownership of the root directory
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
$Locked.SetAccessControl($blankdirAcl)
###################### Setup & apply correct folder permissions to the root user folder
#Using recommendation from Ned Pyle's Ask Directory Services blog:
#Automatic creation of user folders for home, roaming profile and redirected folders.
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
$DirACL = New-Object System.Security.AccessControl.DirectorySecurity
#Administrators: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
#System: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
#Creator Owner: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
#Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
#$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
#Remove Inheritance from the root user folder
$DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#Set permissions on User Directory
Set-Acl -aclObject $DirACL -path $Locked.Fullname
Write-Host "commencer" -NoNewLine
##############Restore admin access & then restore file/folder inheritance on all subitems
#create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
#$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
$subFileACL = New-Object System.Security.AccessControl.FileSecurity
$subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
$subFileACL.SetOwner($NewOwner)
$subDirACL.SetOwner($NewOwner)
######## Enable inheritance ($False) and not copy of parent ACLs ($False)
$subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
$subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#####loop through subitems
$subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
foreach ($subitem in $subdirs) {
#take ownership to insure ability to change permissions
#Then set desired ACL
if ($subitem.Attributes -match "Directory") {
# New, blank Directory ACL with only Owner set
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankdirAcl)
#At this point, Administrators have the ability to change the directory permissions
Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
} Else {
# New, blank File ACL with only Owner set
$blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
$blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankfileAcl)
#At this point, Administrators have the ability to change the file permissions
Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
Write-Host "." -NoNewline
Write-Host "fin."
Write-Host "Script Complete."
I hope you find this useful.
Thank you,
Tony
Final Thought: There are great non-PS tools like
Set-Acl and takeown which are external to PS & can also do the job wonderfully. It may be much simpler to call those tools than recreate the wheel in pure
code. Feel free to use whatever best suits your time, scope & cost.

Does simple file and folder sharing on an iMac work with OSX Server?

Hi There
I wonder if I should install OSX Server on an iMac wher several users work on the same files and folders.
My question - before I do something I might regret:
Does simple file and folder sharing on an iMac within several users really work with the help of OSX Server?
All I want to be able to do:
Admin creates a new folder1 and gives it read- and write access for user1 and user2.
User1 creates a subfolder1 in folder1, and a document1 in subfolder1.
User2 edits document1. Later Admin edits document1.
All these simple editing of files and folders (and subfolders) within a main folder should be possible. This is not possible now.
Is everything clear? I'm not a network specialist or something, I just want to give some co-workers access to some data on my computer without problems.

So what you need are recursive permissions.
I suggest you create a group and add user1 and user2 to that group. You can name that group whatever you want, but for now i will call it FSUsers
Execute this in terminal. Replace FSUsers with your new group
sudo chmod -R +a "FSUsers allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,file_inherit,directory_inherit" /Users/Shared/*
Replace /Users/Shared with the location of your shared folder. Make sure you keep the /* at the end (this allows all subfolders and files to get the same permissions.
If you need to add people to the share just add them to the FSUsers group, the FSUsers group should should also be allowed in the sharing preferences.

Windows server 2008r2 files and folder auditing.

Hi ,I want to Monitor files and folder with auditing in 2008r2 like write,read,delete etc..
Can you please help me on that.
Thanks in advance for your support.
Thanks,
Bhautik Shah

Hello,
this must be enabled on the folder you like to monitor. Steps in the following thread from the same question are still valid:
Enabling file auditing is a 2-step process.
[1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing
for "Audit object access."
[2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit
- auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.
After you've done both of these steps, any file deletions will show up in the Security log of the file server that hosts those files.
HTH
http://technet.microsoft.com/en-us/library/dd772690%28WS.10%29.aspx
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

How to check whether a file got read permissions for perticular user

Problem: Let JRE is running with some x as effective user in LINUX then while checking file permission it is checking permission on that file for that x user.
File f = new File(�file name�)
if(f.exists())
System.out.println(�exists�);
Else
System.out.println(�does not exists�);
The above code prints exists only when x user have permissions on that file
Requirement: I would like to check whether a file got read permissions for particular user i.e. whether y user got permissions on that file.
Any help is appreciated

In Linux a user has to have read permission on a file to even see that it exists. As a result, if a user (or a group to which they belong) doesn't have read access to the file File.exists() will return false. Windows which doesn't have as tightly controlled access to files will admit that a file exists whether it can be read or not.
PS.
This is proof that I should never answer a question off the top of my head when I haven't had my red bull yet. This is wrong. You will be able to see it if you have read and execute on the directory.
thumps self in head
Message was edited by:
puckstopper31

I have a folder and 3 files stuck on my desktop. When I drag them to the trash I am asked to enter my administrator's password. I do this but the files and folder will not delete. I have checked 'Get Info' on each of them and they are not locked?

I have an empty folder and 3 .jpg files stuck on my desktop. When I drag them to the trash I am asked to enter my administrator's password. I do this but the files and folder will not delete. I have checked 'Get Info' on each of them and they are not locked and I have full read & write access. Grateful for any assistance in solving this problem.

Back up all data.
Triple-click anywhere in the line below to select it:
ls -@Oaen De* | open -f -a TextEdit
Copy the selected text to the Clipboard (command-C).
Launch the Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window (command-V).
A TextEdit window will open with the output of the command. Post the contents of that window, if any — the text, please, not a screenshot. The title of the window doesn't matter, and you don't need to post that.
If any personal information appears in the output, anonymize before posting, but don’t remove the context.

File and folder permissions for specific AD groups

Similar Messages

Maybe you are looking for