Share via

Reviewing security permissions on file server

John Kelly 166 Reputation points
2024-07-24T16:34:38.88+00:00

Hopefully this is the correct forum for this query

I have a top level folder on a file server called IT that has a lot of Groups or user names added over the years. These have Usernames, Domain Users, IT Group, Finance Group, Administrators etc. in the Properties Security Settings

When i look at sub folders Properties Security settings some of these have Usernames, Finance Group, Administrators and nothing else. Others have Domain Users, Usernames and Administrators etc. so its a bit of a mess.

I want to review and sort this so that from the Top Level IT Folder only the IT Group and Administrators is added and this propagates down to every sub folder and file. I then want to remove any Usernames, Domain Users and Finance Group from the top level IT folder and every sub folder and file below this. In effect i want to restrict access to every folder and file in the IT Folder and subfolders to any member of the IT Group and Administrators.

If in the future a user needs access only to one of the sub folders i want to be able to give them access to this without accessing anything else

What is the best way to achieve this as i don't want to make changes and then find i have done this wrong and locked myself out of the folders. I do have administrator access just in case.

Thanks

John

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,049 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,833 questions
Accepted answer
  1. MotoX80 33,481 Reputation points
    2024-07-27T02:21:33.8566667+00:00

    In effect i want to restrict access to every folder and file in the IT Folder and subfolders to any member of the IT Group and Administrators.

    You can just set the permissions on the top level folder to what you want and then force those permissions down to every file and folder by selecting the "Replace all child object permission entries...." option.

    Two items of note, first, all permissions will be overwritten. Any permissions that were set will be lost. Second, if any folders have inheritance disabled, and administrator group access removed, you will get an error because you won't have write access to update the permissions. That can be fixed if you run into that.

    I recommend that you test this on a small folder structure to get an idea of how it works before you try to push this down to all 597 subfolders. Or try it on the first of the 597 folders.

    User's image

    Here is a Powershell script that I called FindUnInheritedPerms.ps1 to report on folders whose permissions are different from their parent folder. This may help you understand what permissions have been set on your folders. 

    <#

.SYNOPSIS
This Powershell script will analyze a given folder structure and look to see what files/folder have uninherited ACL's

.DESCRIPTION
Find files/folder where admins/owners have been tweaking security permissions. 

For a later Q&A question, I added functionality to generate the icacls commands to grant access to some
account/group on any folder that did not inherit permissions from its parent folder. Note that it only generates
the command, it does not execute it. You need to capture the output, verify it's correctness, and then execute
those commands. 
 

This script accepts these parameters.
-path      The path to the folder to be analyzed.
-all       If true, analyze files in addition to folders.  
-depth     How many subfolders to analyze 
-grant     Generate icacls /grant command for each folder which does not inherit any permissions.

.EXAMPLE
./FindUnInheritedPerms.ps1 -path c:\temp 
./FindUnInheritedPerms.ps1 -path c:\temp -all 
./FindUnInheritedPerms.ps1 -path c:\temp -depth 2 /grant "BUILTIN\Administrators:(OI)(CI)(F)"


.NOTES

Author: MotoX80 on Microsoft Q&A Forums 
Version: 2024-07-26
#>

param (
    [string]$path = '',                            # analyze this folder
    [switch]$all,                                  # include files 
    [string]$grant = '',                           # generate icacls commands
    [string]$depth = '9999999'                     # folder depth to analyze 
 )

if ($path -eq '') {
    "Please specify a path to a folder to analyze."
    return 
}

if ($grant -eq '') {
	"Base permissions on $path"
	Get-Acl -Path $path | select-object -ExpandProperty access |   format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited 
}
if ($all) {
    $folders = Get-ChildItem -Path $path -depth $depth -recurse
} else {
    $folders = Get-ChildItem -Path $path -Directory -depth $depth -recurse
}


foreach ($folder in $folders) {
    $acls = Get-Acl -Path $folder.FullName
		
    if ($acls.AreAccessRulesProtected -eq $true) {     # we found a folder that does not inherit permissions. 
			if ($grant -eq '') {
				$folder.FullName          # This one 
				$acls | select-object -ExpandProperty access |   format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited
			} else {
				'icacls "{0}" /grant "{1}"' -f $folder.FullName, $grant 
			}
    }
    else {
        # look for additional acls that were added to the ones inherit3ed from parent folder.
        $unique = $acls | select-object -ExpandProperty access | where-Object -property IsInherited -eq $false 
        if (($unique -ne $null) -and ($grant -eq '')) {
            "*{0}      (In addition to inherited perms)" -f $folder.FullName          # This one 
            $unique |  format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited
        }
    }
}```
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ian Xue 36,751 Reputation points Microsoft Vendor
    2024-07-25T02:56:47.6+00:00

    Hi,

    You can disable inheritance on the top level folder and add permissions manually for the groups you want. Then remove all the permissions that are not inherited on the sub folders.

    If you have a large number of folders to modify, you might consider using the PowerShell cmdlet Set-Acl.

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl

    You can refer to this link for more details.

    https://petri.com/how-to-use-powershell-to-manage-folder-permissions/

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. John Kelly 166 Reputation points
    2024-08-05T11:54:22.37+00:00

    Hi

    Thank you both for your input. I tried running the PS script but it just hung for ages so i aborted it. I ticked the Replace all child permissions and that worked on most. I checked at each folder level directly under IT and there were a couple of folders were the existing groups/users remained and IT Group was missing. I fixed this at each level and all working now.

    I just need to do the same now for all departments and hopefully no major issues :)

    Regards

    John

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.