Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services

To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields.  When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.

Upon further research, I'll answer my own question for the benefit of some other potential future newbie.  The answer to question number 1 above is "Not exactly.".  The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists).  I was treating them mentally like regular folders.  That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists.  That was the other problem with thinking of these lists as regular folders.  So, ListItemAllFields works on
all files and folders in a list.  However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above.  For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments.

Similar Messages

  • Advanced permission for files and folders

    Advanced permission for files and folders
    Hi,
    Just wanted to raise a quick query on setting a unique NTFS Security permission.
    My requirement
    A shared folder with the below listed access for users
    A group of users should be able to create, read, rename files and folders inside a shared folder.
    The group of users should not have the right to delete any folder or file from the shared folder.
    This is what I have tried. 
    Gave modify permission to the Security group.
    On Advanced permissions, denied delete subfolders and file & delete permission.
    The effective permission for a user who is member of the security group over a file inside the shared folder is as shown.
    https://onedrive.live.com/redir?resid=835A81FDD1D9D9FC!109&authkey=!AGQFP11QTFaLHQM&v=3&ithint=photo%2cpng
    But while trying to rename or modify the file, getting the below error message.
    https://onedrive.live.com/redir?resid=835A81FDD1D9D9FC%21110
    Any help to achieve my requirement would be really appreciated.
    Thanks,
    JD

    Hi JD,
    Removing delete permission from the user or group brings a limitation that the user will not be able to rename the folder. This is because of the reason that the "rename" operation is also included within the "Delete" permission.
    Thus if you want to prevent user from deleting the shared file, it's also not allowed to rename.
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • To extract the users permission on files and folders in sharepoint 2010 using client object model

    To extract the users permission on files and folders in sharepoint 2010 using client object model

    Hello,
    This is sample code to get item level permisison: (Just written in notepad so it is not tested)
    public void ItemLevelPermission()
    SecurableObject curObj = null;
    ListItem curItem = ctx.Web.Lists.GetByTitle("LibraryName").GetItemById(ItemId); -> Use Id of file or folder.
    IEnumerable roles = null;
    roles = ctx.LoadQuery(
    curObj.RoleAssignments.Include(
    roleAsg => roleAsg.Member,
    roleAsg => roleAsg.RoleDefinitionBindings.Include(
    roleDef => roleDef.Name, // for each role definition, include roleDef’s Name
    roleDef => roleDef.Description)));
    ctx.ExecuteQuery();
    Hope it could help
    Hemendra:Yesterday is just a memory,Tomorrow we may never see
    Please remember to mark the replies as answers if they help and unmark them if they provide no help

  • "Application can't be found" error for files and folders

    This has become mind boggling for me.
    Starting last week, files I've created (namely in either Adobe Photoshop CS5 or Illustrator CS5) have started giving me "Application can't be found" errors when trying to open them. They show up when I use spotlight to search for the file, but they don't show up in Finder and can't be found when trying to browse for them via the apps used to create them.
    Now I can't open a particular folder either (same symptoms and errors as above), which should have nothing to do with any applications.
    Have rebooted numerous times and am up to date on all firmware. I know these files exist and did work at one point because I uploaded them to be printed last week with no issues. But sometime between now and then (and I haven't touched them since) they decided to stop working. Please help!

    I am annoyed by, I think, the same problem.  I would like to drag Pages files directly to the finder in the dock, but now with Mavericks I can not do this.  It is bothersome to have to click on the finder to open it up when I did not have to do that with the old operating system.  I hope someone can help us both out. 
    I also hope that in the next update Apple addresses the concerns many are having with the newest version of Pages.  Until something is changed, I am sticking with old Pages because I find it to be a much better program to use.  

  • How to set default permissions for files and folders

    We have mac and windows computers on a network where we use Mac OSX Server 10.4 to share files. When files are created on windows computer, no problem, all users can read/write these files. However on our 2 macs (1 10.3 and 1 10.4), other users are blocked from using the files, only the owner has "read/write", group and others are "read only". As far as I can tell, file sharing is turned on ok in Workgroup Manager for the folders we share files from. How can we establish sharing for all users on our network?

    Niel's suggestion is good. You might also try posting your question in the Tiger Server forums. I'm sure Tiger Server has several ways of dealing with this.

  • Setting the Author and Modified Time of Files and Folders via 2013 Rest

    Hi
    We've got an 3-legged-oAuth, `permissions on the fly` app that interacts with Sharepoint via the Rest AP. We're running into some hurdles preserving ownership and modification metadata on files migrated into the system. 
    With Sharepoint, the typical approach is to authorize a single admin user an use their credentials to upload every file arriving from the source. The problem: every file's author is now the admin user.
    Is there any way to change the Author of a file during the initial upload or afterwards? The docs here: http://msdn.microsoft.com/en-us/library/office/dn450841(v=office.15).aspx#bk_FileCheckOut suggest not.
    Some services, such as Box and Google Drive provide various delegated authorization capabilities to create files on someone else's behalf. Perhaps this is an option? We could, for example, multiplex a set of oAuth tokens but that would require potentially
    hundreds of users going through the rigamarole of the 3-legged oAuth flow.
    Is our only option a C# app to fill in these gaps?

    Hi,
    According to your post, my understanding is that you wanted to change the Author of the file.
    If you don’t want to use the C# option, we can use the JavaScript to retrieve the created by field then change it.
    There are two similar articles, you can have a look at them.
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/bba08ecc-297e-4b32-a8f4-bbc2a677d6bd/retrieve-created-by-list-item-field-using-javascript?forum=sharepointdevelopmentprevious
    http://www.c-sharpcorner.com/UploadFile/anavijai/get-created-by-and-modified-by-values-from-sharepoint-2010-l/
    Thanks,
    Jason
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Jason Guo
    TechNet Community Support

  • New files and folders on a Linux client mounting a Windows 2012 Server for NFS share do not inherit Owner and Group when SetGID bit set

    Problem statement
    When I mount a Windows NFS service file share using UUUA and set the Owner and Group, and set the SetGID bit on the parent folder in a hierarchy. New Files and folders inside and underneath the parent folder do not inherit the Owner and Group permissions
    of the parent.
    I am given to understand from this Microsoft KnowledgeBase article (http://support.microsoft.com/kb/951716/en-gb) the problem is due to the Windows implmentation of NFS Services not supporting the Solaris SystemV or BSD grpid "Semantics"
    However the article says the same functionality can acheived by using ACE Inheritance in conjunction with changing the Registry setting for "KeepInheritance" to enable Inheritance propagation of the Permissions by the Windows NFS Services.
    1. The Precise location of the "KeepInheritance" DWORD key appears to have "moved" in  Windows Server 2012 from a Services path to a Software path, is this documented somewhere? And after enabling it, (or creating it in the previous
    location) the feature seems non-functional. Is there a method to file a Bug with Microsoft for this Feature?
    2. All of the references on demonstrating how to set an ACE to achieve the same result "currently" either lead to broken links on Microsoft technical websites, or are not explicit they are vague or circumreferential. There are no plain Examples.
    Can an Example be provided?
    3. Is UUUA compatible with the method of setting ACE to acheive this result, or must the Linux client mount be "Mapped" using an Authentication source. And could that be with the new Flat File passwd and group files in c:\windows\system32\drivers\etc
    and is there an Example available.
    Scenario:
    Windows Server 2012 Standard
    File Server (Role)
    +- Server for NFS (Role) << -- installed
    General --
    Folder path: F:\Shares\raid-6-array
    Remote path: fs4:/raid-6-array
    Protocol: NFS
    Authentication --
    No server authentication
    +- No server authentication (AUTH_SYS)
    ++- Enable unmapped user access
    +++- Allow unmapped user access by UID/GID
    Share Permissions --
    Name: linux_nfs_client.host.edu
    Permissions: Read/Write
    Root Access: Allowed
    Encoding: ANSI
    NTFS Permissions --
    Type: Allow
    Principal: BUILTIN\Administrators
    Access: Full Control
    Applies to: This folder only
    Type: Allow
    Principal: NT AUTHORITY\SYSTEM
    Access: Full Control
    Applies to: This folder only
    -- John Willis, Facebook: John-Willis, Skype: john.willis7416

    I'm making some "major" progress on this problem.
    1. Apparently the "semantics" issue to honor SGID or grpid in NFS on the server side or the client side has been debated for some time. It also existed as of 2009 between Solaris nfs server and Linux nfs clients. The Linux community defaulted to declaring
    it a "Server" side issue to avoid "Race" conditions between simultaneous access users and the local file system daemons. The client would have to "check" for the SGID and reformulate its CREATE request to specify the Secondary group it would have to "notice"
    by which time it could have changed on the server. SUN declined to fix it.. even though there were reports it did not behave the same between nfs3 vs nfs4 daemons.. which might be because nfs4 servers have local ACL or ACE entries to process.. and a new local/nfs
    "inheritance" scheme to worry about honoring.. that could place it in conflict with remote access.. and push the responsibility "outwards" to the nfs client.. introducing a race condition, necessitating "locking" semantics.
    This article covers that discovery and no resolution - http://thr3ads.net/zfs-discuss/2009/10/569334-CR6894234-improved-sgid-directory-compatibility-with-non-Solaris-NFS-clients
    2. A much Older Microsoft Knowledge Based article had explicit examples of using Windows ACEs and Inheritance to "mitigate" the issue.. basically the nfs client "cannot" update an ACE to make it "Inheritable" [-but-] a Windows side Admin or Windows User
    [-can-] update or promote an existing ACE to "Inheritable"
    Here are the pertinent statements -
    "In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares."
    "Note About the Permissions That Are Set by NFS Clients
    The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client will
    only apply to that file or folder, so the resulting ACEs created by an NFS client will
    not have inheritance set."
    "So
    If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from the Windows NFS server because the permissions that are set by NFS clients only apply to the folder itself."
    http://support.microsoft.com/default.aspx?scid=kb;en-us;321049
    3. I have set up a Windows 2008r2 NFS server and mounted it with a Redhat Enteprise Linux 5 release 10 x86_64 server [Oct 31, 2013] and so far this does appear to be the case.
    4. In order to mount and then switch user to a non-root user to create subdirectories and files, I had to mount the NFS share (after enabling Anonymous AUTH_SYS mapping) this is not a good thing, but it was because I have been using UUUA - Unmapped Unix
    User Access Mapping, which makes no attempt to "map" a Unix UID/GID set by the NFS client to a Windows User account.
    To verify the Inheritance of additional ACEs on new subdirectories and files created by a non-root Unix user, on the Windows NFS server I used the right click properties, security tab context menu, then Advanced to list all the ACEs and looked at the far
    Column reflecting if it applied to [This folder only, or This folder and Subdirectories, or This folder and subdirectories and files]
    5. All new Subdirectories and files createdby the non-root user had a [Non-Inheritance] ACE created for them.
    6. I turned a [Non-Inheritance] ACE into an [Inheritance] ACE by selecting it then clicking [Edit] and using the Drop down to select [This folder, subdirs and files] then I went back to the NFS client and created more subdirs and files. Then back to the
    Windows NFS server and checked the new subdirs and folders and they did Inherit the Windows NFS server ACE! - However the UID/GID of the subdirs and folders remained unchanged, they did not reflect the new "Effective" ownership or group membership.
    7. I "believe" because I was using UUUA and working "behind" the UID/GID presentation layer for the NFS client, it did not update that presentation layer. It might do that "if" I were using a Mapping mechanism and mapped UID/GID to Windows User SIDs and
    Group SIDs. Windows 2008r2 no longer has a "simple" Mapping server, it does not accept flat text files and requires a Schema extension to Active Directory just to MAP a windows account to a UID/GID.. a lot of overhead. Windows Server 2012 accepts flat text
    files like /etc/passwd and /etc/group to perform this function and is next on my list of things to see if that will update the UID/GID based on the Windows ACE entries. Since the Local ACE take precedence "over" Inherited ACEs there could be a problem. The
    Inheritance appears to be intended [only] to retain Administrative rights over user created subdirs and files by adding an additional ACE at the time of creation.
    8. I did verify from the NFS client side in Linux that "Even though" the UID/GID seem to reflect the local non-root user should not have the ability to traverse or create new files, the "phantom" NFS Server ACEs are in place and do permit the function..
    reconciling the "view" with "reality" appears problematic, unless the User Mapping will update "effective" rights and ownership in the "view"
    -- John Willis, Facebook: John-Willis, Skype: john.willis7416

  • My external hard drive is 'seen' by my iMac and I can go into the Finder and open files and folders. I am using the hard drive for Time Machine back up. However Time Machine says it can't find the drive. Same thing has happened with Final Cut Express.

    My new LaCie external hard drive is 'seen' by my iMac and I can go into the Finder and open files and folders. I am using the hard drive for Time Machine back up. However Time Machine says it can't find the drive.
    The same thing happened recently between Final Cut Express and my other LaCie external hard drive used as the Scratch disk. It fixed itself.
    I've run out of ideas. Help would be very much appreciated. Thanks.

    have you done some searches on FCPx and time machine? Is there a known issue with using a TM drive with FCPx? dunno but ...wait...I'll take 60 sec for you cause I'm just that kind of guy....   google...." fcpx time machine problem"  Frist page link 
    http://www.premiumbeat.com/blog/fcpx-bug-best-practices-for-using-external-hard- drives-and-final-cut-pro-x/
           You cannot have time machine backups on your hard drive if you intend to use it in FCPX.
    booya!

  • I just restored my 13" MBP i5 at the apple store to the newest version of Lion after issues with a previous Time Machine backup from Snow Leopard- this time I created a new account and just ported files and folders, and now MS Office doesn't work. Help?

    I just restored my 13" MBP i5 at the apple store to the newest version of Lion after issues with a previous Time Machine backup from Snow Leopard- this time I created a new account and just ported files and folders, and now MS Office doesn't work.
    ^^ that's the main problem. Here's the full history.
    I bought a new 13" i5 MBP, early 2011 edition. I had an old white Macbook 2.14 ghz core2duo on Snow Leopard. I attempted to port over my time machine backup, but encountered problems in that my User was inaccessible from the new computer after the import finished, and I had to go in and change the root password, etc, and for some reason or another, I couldn't install any programs at all from that administrator's account. By "couldn't" I mean I could install them, but upon installation they would never boot. So, I took it to the apple store and did a clean install from the most up to date Lion OSX. Then, I created a brand new admin account, instead of trying to import the old one, and things seemed great. Then, I just imported my old files from the TM backup, but not any system settings, permissions, or user data. Just my Docs, pics, vids, apps, and itunes stuff.
    Here's where things get weird again. I imported this stuff under the name "old", but all of these folders have a red negative sign on them, marking them as restricted. So, from my main admin account, I cannot even peruse these folders. Since I didn't import user data, I can't sign in to the "old" account to change permissions. I already tried to change the permissions from system preferences, but that didn't change anything. And now, for whatever reason, of all the apps that were imported then, MS Office is the only set of apps that does not work. When I click on it, it just says there was a problem and asks if I'd like to send a report to apple. I tried reinstalling it to no avail. I'm an English student, so i really need access to Word. Can anyone help? The Apple store is a major detour for me and would like to fix this issue myself.

    Most likely you have Office 2004 which are PPC-only applications and will not work in Lion. Upgrade to Office 2011. Other alternatives are:
    Apple's iWork suite (Pages, Numbers, and Keynote.)
    Open Office (Office 2007-like suite compatible with OS X.)
    NeoOffice (similar to Open Office.)
    LibreOffice (a new direction for the Open Office suite.)

  • HT1923 This article contains the only thing that worked for me.  I also had to sign out of iCloud and uninstall it.  Then I had to delete all files and folders from all of those applications that were under Program Files, Program Files x86, and Users.

    This article contains the only thing that worked for me.  I also had to sign out of iCloud and uninstall it.  Then I had to delete all files and folders from all of those applications that were under Program Files, Program Files x86, Program Data and Users.  My iPhone 4 will now sync with iTunes both in its USB-connected  mini dock and over Wi-Fi.  It's unfortunate (negligent programming on the part of Apple?) that the upgrade to iTunes 11 did not remove all of those files as part of the upgrade process. 

    I am having the same issue....Same address for years - same as USPS - I tried 5 times (3 macs and 2 iPhones) and now i have 5 CHARGES for 1.00 each on my credit card. I took the credit card info off so they don't charge me anymore. How can they charge me yet still not allow me to download free updates and say I have an invalid address? I'm sure I will spend weeks or months trying to get a credit out of these incompetent idiots.

  • Solved - How to take ownership and change permissions for blocked files and folders in Powershell

    Hello,
    I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
    file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
    I was not able to find any information about someone successfully using native PS to resolve the issue.  As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
    Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
    Problem: 
    Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
    PS C:\> Get-Acl -path F:\testpath\locked
    Get-Acl : Attempted to perform an unauthorized operation.
    + get-acl <<<< -path F:\testpath\locked
    + CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
    If you create a new ACL and attempt to apply it using Set-Acl, you get:
    PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
    Set-Acl : Attempted to perform an unauthorized operation.
    At line:1 char:8
    + Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
    + CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
    Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
    How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
    Tony

    Hello,
    Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
    Example:  Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
    #Script to Reset MyDocuments Folder permissions
    $domainName = ([ADSI]'').name
    Import-Module "PSCX" -ErrorAction Stop
    Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
    Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
    #Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
    Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
    $Directorypath = "F:\Userpath" #locked user folders exist under here
    $LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
    Foreach ($Locked in $LockedDirs) {
    Write-Host "Resetting Permissions for "$Locked.Fullname
    #######Take Ownership of the root directory
    $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
    $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
    $Locked.SetAccessControl($blankdirAcl)
    ###################### Setup & apply correct folder permissions to the root user folder
    #Using recommendation from Ned Pyle's Ask Directory Services blog:
    #Automatic creation of user folders for home, roaming profile and redirected folders.
    $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $propagation = [system.security.accesscontrol.PropagationFlags]"None"
    $fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
    $allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
    $DirACL = New-Object System.Security.AccessControl.DirectorySecurity
    #Administrators: Full Control
    $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
    #System: Full Control
    $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
    #Creator Owner: Full Control
    $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
    #Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
    #$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
    $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
    #Remove Inheritance from the root user folder
    $DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
    #Set permissions on User Directory
    Set-Acl -aclObject $DirACL -path $Locked.Fullname
    Write-Host "commencer" -NoNewLine
    ##############Restore admin access & then restore file/folder inheritance on all subitems
    #create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
    #$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
    $NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
    $subFileACL = New-Object System.Security.AccessControl.FileSecurity
    $subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
    $subFileACL.SetOwner($NewOwner)
    $subDirACL.SetOwner($NewOwner)
    ######## Enable inheritance ($False) and not copy of parent ACLs ($False)
    $subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
    $subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
    #####loop through subitems
    $subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
    foreach ($subitem in $subdirs) {
    #take ownership to insure ability to change permissions
    #Then set desired ACL
    if ($subitem.Attributes -match "Directory") {
    # New, blank Directory ACL with only Owner set
    $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
    $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
    #Use SetAccessControl to reset Owner; Set-Acl will not work.
    $subitem.SetAccessControl($blankdirAcl)
    #At this point, Administrators have the ability to change the directory permissions
    Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
    } Else {
    # New, blank File ACL with only Owner set
    $blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
    $blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
    #Use SetAccessControl to reset Owner; Set-Acl will not work.
    $subitem.SetAccessControl($blankfileAcl)
    #At this point, Administrators have the ability to change the file permissions
    Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
    Write-Host "." -NoNewline
    Write-Host "fin."
    Write-Host "Script Complete."
    I hope you find this useful.
    Thank you,
    Tony
    Final Thought: There are great non-PS tools like
    Set-Acl and takeown which are external to PS & can also do the job wonderfully.  It may be much simpler to call those tools than recreate the wheel in pure
    code.  Feel free to use whatever best suits your time, scope & cost.

  • How do I set up my iPad for outlook files and folders

    I want to see and use, on my iPad, the same files and folders I have in outlook on my PC. Also I want any changes I make on the PC or the iPad to sync with each other.
    PC is running Windows 7,
    Outlook version 2007, not the exchange version although I think I can get that by re-installing outlook and choosing that option.(I don't understand what exchange is but don't bother to explain it unless the solution requires using it)
    I currently use Gmail for my email accounts server. They are set up as POP accounts with Outlook using a .PST data file. However, IMAP is available for Gmail. My brief past experience with IMAP and .OST data files was kind of a disaster so it isn't my 1st choice for this.
    As I understand it using Outlook 365 with Microsoft's cloud and mobile app would solve my problem but I don't like clouds, 365 or IMAP (I may have to concede on some of those). If there is a way to do it through the Gmail accounts without any other cloud  that would be ideal since they already have all my email and I won't be spreading my personal info to other companies.
    I do have a Drop Box account but I currently only use it for some well vetted specific files that I share with specific individuals.
    I do not have any computer or network drive that is always on and might serve as a private cloud. That could be changed but then i'm relying there being no ISP or power interruptions which, of course do occasionally happen.
    Obviously I'm being rather picky here knowing that I'll probably have to live with some things less than ideal.
    I will consider 3rd party apps if they seem to be part of the solution.
    Thank you in advance for any person/s that want to help me on this.
    hsvt

    Thanks. I can change the forwarding settings in Gmail to be either POP or IMAP. That is quite simple. I just looked at those settings on the Gmail server and, to my surprise, both are enabled. In order for outlook client on my computer to receive IMAP emails I have to change the email account settings in my current outlook from POP to IMAP. I don't need to be using the Exchange version of Outlook to receive IMAP. I guess I'll do a little research tomorrow on Exchange so i can figure out what, if anything, it might do for me.
    I glanced at the link you sent me and it looks like it might be very helpful - another project for tomorrow.
    BTW: I hit "This Solved my Question" by accident. I meant only to "like' your response so you would get some benefit from the help you've given me so far. I hope I haven't discouraged others from taking a shot at helping me. I suspect there is more than one way to approach this and, as you know, my problem isn't really solved until I have what I need all set up and running smoothly.

  • My desktop files and folders no longer appear on the screen. I think this is a result of an iPhoto updating.  It appears (from getting info) that now Desktop is being treated like a normal file for which an application to open it must be supplied.  Help?

    My desktop files and folders no longer appear on the screen.  I think this is a result of an iPhoto updating.  It appears (from getting info) that now Desktop is being treated like a normal file for which an application to open it must be supplied.  Can anything be done?  Incila

    You are not going to be able to run your old system from the backup on this old computer as the hardware is incompatible.
    You need to get a new computer or a refurbished one.

  • Remove permissions for a security group for all files and folders in a folder and all subfolders?

    I found a script that adds rights to files and folders.
    We need to grant administrators rights to a set of folders for a specific project.
    ChangePermissions.ps1
    # CACLS rights are usually
    # F = FullControl
    # C = Change
    # R = Readonly
    # W = Write
    $StartingDir=
    "C:\Users"
    $Principal="Administrators"
    $Permission="F"
    $Verify=Read-Host `n "You are about to change permissions
    on all" `
    "files starting at"$StartingDir.ToUpper() `n "for security"`
    "principal"$Principal.ToUpper() `
    "with new right of"$Permission.ToUpper()"."`n `
    "Do you want to continue? [Y,N]"
    if ($Verify -eq "Y") {
    foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
    #display filename and old permissions
    write-Host -foregroundcolor Yellow $file.FullName
    #uncomment if you want to see old permissions
    #CACLS $file.FullName
    #ADD new permission with CACLS
    CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
    #display new permissions
    Write-Host -foregroundcolor Green "New Permissions"
    CACLS $file.FullName
    When the project is over, we need to undo the changes and remove administrators permissions from the same group of folders.
    How do we change the script to remove administrators group members instead of adding?

    I'm not sure I understand how to use that example script to undo the changes in the script I posted..
    Is there  a way to just change a few lines in the first script so that it removes instead of adding the administrators group?
    This line appears to be the line that adds permissions:
    #ADD new permission with CACLS
    CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
    What would be the syntax to remove the  permissions
    $Principal="Administrators"
    $Permission="F"
     from files and folders in $StartingDir= "C:\Users"
    and everything below it?

  • AppleScript : modify labels for multiple selection of files and folders in Finder ?

    As an experienced programmer in Pascal, Excel VBA, ... I am trying to find my way in AppleScript (first steps).
    I am trying to build a small script that will run on a keyboard shortcut, and that will toggle the label of selected files and folders (multiple selection ?) in Finder between "purple" and "no label".
    Based on a recorded action, I was trying something along the lines of
    tell application "Finder"
              Activate
              repeat with oneItem in selection
                             set label index of oneItem to 3
              end repeat
    end tell
    I am not clear on how to make the script understand that in a multiple selection I want to apply the requested command to each item. In addition, when testing it on one single item, it appears that I can't set the label index property of "selection" ...
    Can someone please advise what the correct way is of (a) setting the property of a selected item in the Finder and (b) looping through a multiple selection ?
    Thanks in advance.
    Philip
    P.S. Running Mac OSX 10.8.2 on MacBook Air, MacBook Pro and MacMini

    Thanks alot, Softwater. In fact, I have been playing around with that and found that the "get" statement in your script suggestion is not even necessary. The script I saved as a Finder Service is now :
    tell application "Finder"
              repeat with oneItem in selection as list
                             if label index of oneItem = 0 then
                                            set label index of oneItem to 5
                             else
                                            set label index of oneItem to 0
                             end if
              end repeat
    end tell
    By assigning a shortcut key to this one, I can now toggle labels.
    Additional trick I did is to restrict the applicability of the script to only movie-files (I am using this to change the labels of movies / TV shows on my computer which I still want to see versus the ones that I don't want to see anymore). I noticed during testing that the script would also color folders and drives selected in other finder windows than the one I was working in, so now it only works on movie files which is more what I want.
    Great tool, the AppleScript Editor and the Automator. Only a little bit a pitty that finding out about object structure and properties is not very straightforward in the AppleScript Editor (comparing to e.g. the VBA in MS Excel, which has an almost perfect help system and built-in reference). I am not a Microsoft fan in general, but when it comes to MS Excel VBA, I have not seen any built-in help system yet that approaches its usefulness ...
    I guess I will be "seeing" you again on this forum ... I am getting the taste of scripting again :-D

Maybe you are looking for

  • Broken Links in iTunes - files have not been moved

    Hi, I'm running iTunes on my XP machine. I have about 10,000 tracks in my library. Every so often (well quite often nowadays) I get a load of tracks that have the exclamation mark next to them saying the file can't be found. I have not moved any of t

  • Migrating MS SQL Server 7.0 TO Oracle 8.1.5

    Hello, We are currently using Win NT 4.0, MS SQL Server with a PVCS Tracker 6.0 from Merant and will be upgrading to PVCS Dimension 6.0 from Merant. The Dimension 6.0 product runs on Win NT 4.0, uses Oracle Server 8.1.5 with Oracle 8 ODBC Driver 2.5.

  • Inner Query relating to calculated field in main query

    I have a query that has calculating fields in it. What I am trying to do is Create another inner SELECT query similar to the one above but using the FP_Qty_Required calculated field in the main query? Is this even possible? Thanks in advance Aaron

  • 802.1X, you deployed with Certs, or used individual user accounts?

    I'm looking at 802.1X to improve our internal network's security posture to prevent unauthorized access by non-authorized users. The solution I am looking at is 802.1X only, not any vender's NAC solution which rides upon 802.1X, but 802.1X solely. We

  • Request attribute vs parameter

    Hi all, I am getting confused of request attribute and request parameter. What i understand is that a parameter is a piece of info that send with the request. Such that infomation (parameter) come from a form component (text field, radiobuttion,selec