This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have to add groups in the security groups (ACLs) of some folders and files
The Groups are added using the name of the folder where they belong to. If the group/s exist in AD then the script add it/them to the folder.
The script works overall fine, however it needs the last step (simulates a sort of inheritance).
The issue is that when a folder doesn't have a group associated with it the script is not able to add the parent groups to the sub-folders and files (because he doesn't know where to get it/them).
Unfortunately the inheritance can't help because the folders are already present.
I don't know if this could be a solution (I'm sure there is better and simpler solution) but I couldn't find a way to save in a variable the groups that exist (found previously in the parent folder) in that case I could use it to add the group/s to the subfolders and files. The groups are kept saved in the variable untilit it finds another folder (with the groups associated with it ) then the script should replaced the new groups to the previous ones (and use it on the next folders and files ).
Any help is really appresciated
*# ----- SCRIPT----------*
$fileList = Get-ChildItem -Recurse -Path "E:\test2"
foreach ($lists in $fileList) {
$fileName = $Lists.name
$Path=$Lists.Fullname
$GroupID = Get-ADGroup -Filter "Name -like 'Local.Group\_$fileName.R' -or Name -like 'Local.Group\_$fileName.RW'" -Properties \* | select -property name
$ACL = Get-Acl -Path $Path
$ACL.SetAccessRuleProtection($true,$false)
if( $Lists.PSIsContainer -eq $true ){
if (-not ($GroupID -eq $null)) {
foreach ($NameAD in $GroupID) {
$ADname = "DOMAIN\" + $NameAD
$modifiedADname = ($ADname -replace '@{name=', '').Trim("}")
# if at the end of the group name is present the caracter "W"
if ($modifiedADname -match 'RW$')
{
#"InheritOnly"
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($modifiedADname, "Modify", “ContainerInherit,ObjectInherit” ,"none", “Allow”)))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, “ContainerInherit,ObjectInherit” ,"none", “Allow”)))
Set-Acl -Path $Path -AclObject $ACL
}
elseif ($modifiedADname -match 'R$') {
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($modifiedADname, "ReadAndExecute", “ContainerInherit,ObjectInherit” ,"none", “Allow”)))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, “ContainerInherit,ObjectInherit” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
elseif ($modifiedADname -notmatch 'RW$' -or 'R$') {
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($modifiedADname, "Read", “ContainerInherit,ObjectInherit” ,"none", “Allow”)))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, “ContainerInherit,ObjectInherit” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
}
}
else {
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, “ContainerInherit,ObjectInherit” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
}
else {
if (-not ($GroupID -eq $null)) {
foreach ($NameAD in $GroupID) {
$ADname = "DOMAIN\" + $NameAD
$modifiedADname = ($ADname -replace '@{name=', '').Trim("}")
# if at the end of the group name is present the caracter "W"
if ($modifiedADname -match 'RW$')
{
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($modifiedADname, "Modify", "none” ,"none", “Allow”)))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, "none” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
elseif ($modifiedADname -match 'R$') {
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($modifiedADname, "ReadAndExecute", “FullControl”, "none” ,"none", “Allow”)))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, "none” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
elseif ($modifiedADname -notmatch 'RW$' -or 'R$') {
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($modifiedADname, "Read", “FullControl”, "none” ,"none", “Allow”)))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, "none” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
}
}
else {
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators" , “FullControl”, "none” ,"none", “Allow”)
Set-Acl -Path $Path -AclObject $ACL
}
}
}
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
If the current user that runs the script has no permissions on the parent folder, the script will not be able to get the child items in it. You need to allow the current user or the group that contains the current user to list the directory at least. Since you have already taken owner of the directory, you may add a new access rule to the parent folder temporarily before getting contents of that and remove the access rule at the end of the script if you don't want it.