Script Directory Permissions Powershell

1

1

Is there a way to clone a directory's permissions to a file, and then run that file on another server to recreate those permissions on the recreated structure.

I've got a script to create the directories:

New-Item -Path D:\superuser-data -ItemType directory
Net-Item -Path D:\superuser-data\documents -ItemType directory
Net-Item -Path D:\superuser-data\scripts -ItemType directory

I run that script then setup the permissions to the way I want them with AD accounts on Server A.

Then I want the ability to rerun that script on Server B and then run another script on Server B that sets the permissions to match what I did on Server A.

Nick

Posted 2018-05-30T17:54:44.710

Reputation: 131

I'd highly recommend this module for convenience: https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 using only get-acl and set-acl can be very head-achy

– SimonS – 2018-05-31T10:18:10.743

Answers

1

From here: https://seankilleen.com/2015/01/how-to-copy-ACL-Permissions-To-Folders-With-Powershell/

Powershell contains the commands get-acl and set-acl, and you can pipe them together:

Get-Acl -Path C:\Folder1 | Set-Acl -Path C:\Folder2

Those paths can be UNC or other appropriate path methods, so they should be able to work across networks.

Update:

Security Descriptors CAN be copied and stored. The following is not the most efficient process, his is the first time I've even tried doing this, but it is functional.

A few iteratively-refined Google searches brought me here: http://community.idera.com/powershell/powertips/b/tips/posts/replacing-ntfs-permissions-with-sddl-information

And here's the process.

  1. Capture the ACL from the source computer:
    $SDout = get-acl -path (source folder)
  2. Store the SDDL in the clipboard:
    $SDout.GetSecurityDescriptorSddlForm('All') | clip.exe
  3. Paste into Notepad and move to the target computer.
  4. Copy ONLY the single-line SDDL to the clipboard.
  5. Store the source SDDL in a parameter:
    $SDsource = '(paste the source SDDL here)'
  6. Capture the target ACL object in a parameter:
    $SDtarget = get-acl -path (target folder)
  7. Overwrite the target's SDDL with the source's SDDL:
    $SDtarget.SetSecurityDescriptorSddlForm($SDsource)
  8. Write the modified ACL back to the target folder:
    set-acl -Path (target folder) -ACLObject $SDtarget

Checking properties now you should see the target folder has the same permissions as the source folder.

music2myear

Posted 2018-05-30T17:54:44.710

Reputation: 34 957

Can I store the results of Get-Acl into a file that set-acl can read in?"

Get-Acl D:\superuser-data\ | Out-File superuser-data.txt cat superuser-data.txt | Set-Acl -Path D:\superuser2-data\ – Nick – 2018-05-30T19:48:33.520

The pipe uses PS' object system. Sending get-acl's output to a file loses the object-nature of the information, so you'll have to massage the data either when you export or when you import, or in-between.I tried simply storing the output in a file (out-file) and then importing it into a new varial (get-content) and the syntax was not understood by set-acl. – music2myear – 2018-05-30T20:52:40.110

1Ok, I think I've figured something out. Give me a few minutes to test. – music2myear – 2018-05-30T21:03:32.570

Asked: 2018-05-30T17:54:44.710

Viewed: 129 times

Active: 2018-05-30T21:24:21.767