Script to set permissions on all subfolders of the same name based on the name of a higher subfolder

Question

Hi,
I haven't been able to find or think up anything that will do what I need - our legal department has a network share containing close to 15K subfolders and would like to make signed contracts visible to the heads of the departments concerned. So basically a script is needed that parses the share for department folders - all named with the two-letter department code - and gives the respective head of dept. permission to list subfolders, and then parses for subfolders named "signed" and gives the respective head of dept. read access to those folders and their contents. The folders "signed" have no subfolders, only files.
I'm not really good at scripting so I'm afraid I have to be a code leech here... any help is appreciated.
Cheers
Eck

Folder structure:
T:\Legal{DeptCode}{Category}{CaseName}\Contracts\Signed\yyyymmdd_contract_{casename}.pdf

PS: I have found some sample commands for icacls and subinacl that I am trying to build something with. Ideally in a later iteration there will be a powershell script allowing legal to automatically create subfolders with the proper permissions already in place since inheritance is obiously an issue. I'll add in comments everything I come up with as I go along.

Answer 1

Use Powershell, not a bat file.

Build a csv to identify the owners.

"DeptCode","DeptHead"  
"00","Larry"  
"01","Moe"  
"02","Curley"  

I tested with this structure.

md C:\temp\Tdrive\Legal01ABCDEFG\Contracts\Signed\   
md C:\temp\Tdrive\Legal01HIJKLMN\Contracts\Signed\   
md C:\temp\Tdrive\Legal02ABCDEFG\Contracts\Signed\   
md C:\temp\Tdrive\Legal03ABCDEFG\Contracts\Signed\   
md C:\temp\Tdrive\Legal01ABCDEFG\Contracts\Other\   
md C:\temp\Tdrive\Legal01HIJKLMN\Contracts\Other\   
md C:\temp\Tdrive\Legal02ABCDEFG\Contracts\Other\   
md C:\temp\Tdrive\Legal03ABCDEFG\Contracts\Other\   

This script processes the folders+csv and just displays the icacls command. Remove the outer quotes to actually run it.

Test test test before you update 15k folders. Make sure that the icacls format is correct.

$Csv = Import-Csv "C:\temp\test.csv"   
$BaseFolder = "C:\temp\Tdrive\"  
$TopFolders = Get-ChildItem -Path $BaseFolder -Directory  
foreach ($TF in $TopFolders) {  
    ""  
    "Processing folder {0}" -f $TF.name  
    $Dept = $TF.name.Substring(5,2)               # Assuming the word 'Legal' followed by a 2 digit code  
    $Dept  
    # https://devblogs.microsoft.com/scripting/powertip-get-row-from-csv-file-based-on-value  
    $DeptHead = $csv.Where({$_.DeptCode -eq $Dept}).DeptHead  
    if ($DeptHead) {  
        $DeptHead  
        "icacls.exe $($tf.fullname) /grant `"$($DeptHead):(CI)(RX)`""  
        $SignedFolders = Get-ChildItem -Path $tf.FullName -Filter "Signed" -Directory -recurse  
        foreach ($sf in $SignedFolders) {  
            "icacls.exe $($sf.fullname) /grant `"$($DeptHead):(OI)(CI)(RX)`""  
        }  
    } else {  
        "Error! Department not found in CSV."  
    }  
}        

Note: as a retired server admin, I recommend using groups and not individual user accounts. That way when you eventually get the request for "Larry has resigned, and Moe has been named department head, grant Moe whatever access that Larry had", you just add Moe to the department owner group and remove Larry. And you don't have to go searching the file system for permissions that reference Larry.

I'm not really good at scripting

Download and refer to this documentation.

https://www.sapien.com/books_training/Windows-PowerShell-4

Answer 2

Found this as a starting point:
https://social.msdn.microsoft.com/Forums/en-US/1242fefa-3aad-4ac4-acb6-7bff394bf25f/script-to-change-permissions-of-sub-folders-with-the-same-name?forum=ITCG

Answer 3

Hi MotoX80,
(XJR rider here)
That is awesome, thanks so much, and especially for the book link. I had already found a simple but ineffective, manual way (link in my first comment), but tried your code on a test structure on my end and it worked like a charm a lot more efficiently. I created a group for each head of dept. so that I never have to touch the ACL again. Now there's just one problem I have to deal with - the heads of see way too many empty folders despite ABE. My idea now is to find the "signed" subfolders and then so to say "walk back up" the necessary "list folders" access to the dept. root folder so that people can only drill down to where they need to get. I have no clue where to even begin with that one... =[ If you have any idea, I'd greatly appreciate your input.
Cheers
Eck

Answer 4

Oh, one more thing, in my environment the dept. tag is not a substring, but a subfolder of Legal - please, how would I tweak generation of the variable to read a two letter folder name below Legal?
Also, I have named the head of dept. groups "Ho[dept. code]" (e.g. HoBY = Head of Buying) so that I can use the same variable to input which group permissions to grant to. Learning here =]