#########################################################
#
# Script to Fix web NTFS permissions.
#
# Created Aug 23, 2010
# Bryan Loveless
#
#
# Requires Powershell 2.0
#
# Change your Execution policy to RemoteSigned if running locally
# by: Set-executionpolicy -executionpolicy RemoteSigned
#
#Prereqs:
#
#
#based on http://blog.netnerds.net/2007/07/powershell-set-acl-does-not-appear-to-work/
#
########################################################
#the correct permissions on All Tiers (edited) are FC:(usernames went here for documentation)
# RXLR: localmachine\IIS_IUSRS
$whorunsthis = Read-host "Is this a (S)erver (c:\otherplaceIhavethem) or your (L)ocal box (C:\intetorsomething\Websites)? (S/L)"
Write-Host "Also, this script will take a few minutes, give it some time."
if ($whorunsthis -eq "S" )
{$path = "c:\otherplaceIhavethem" }
elseif ($whorunsthis -eq "L")
{$path = "C:\intetorsomething\Websites" }
else
{write-host "you must select S or L"
Exit}
$fullControlDomainFolks = "user1","abc123","edf456","anotherusername"
$fullControlLocalUsers = "system"
$readOnlyLocalUsers = "IIS_IUSRS"
#now to run through the list of users listed in the $fullControlDomainFolks list.
ForEach ($specificUser in $fullControlDomainFolks)
{
$user = $specificUser
$userdomain = "DomainName"
#set up inheritance to be turned on
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
#set up propagation
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
#since get-acl only can deal with objects, we have to give it an object to start with.
$acl = Get-Acl $path
#setting what type of access we want the user to have.
#FYI, the possible values for $aclType are "ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
#ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles,
#ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions,
#TakeOwnership, Synchronize, FullControl".
$aclType = "FullControl"
#set up the access rule by creating a new object with the variables set above.
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$userdomain\$user", $aclType, $inherit, $propagation, "Allow")
#now to change the object we borrowed to what we actually want it to be
$acl.AddAccessRule($accessrule)
#now to actualy change the permissions on the path we specified.
set-acl -aclobject $acl $path
}
#now to run throught he list of users listed in the $fullcontrolLocalUsers list.
ForEach ($specificUser in $fullControlLocalUsers)
{
$user = $specificUser
#set up inheritance to be turned on
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
#set up propagation
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
#since get-acl only can deal with objects, we have to give it an object to start with.
$acl = Get-Acl $path
#setting what type of access we want the user to have.
#FYI, the possible values for $aclType are "ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
#ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles,
#ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions,
#TakeOwnership, Synchronize, FullControl".
$aclType = "FullControl"
#set up the access rule by creating a new object with the variables set above.
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$user", $aclType, $inherit, $propagation, "Allow")
#now to change the object we borrowed to what we actually want it to be
$acl.AddAccessRule($accessrule)
#now to actualy change the permissions on the path we specified.
set-acl -aclobject $acl $path
}
#now to run throught he list of users listed in the $ReadOnlyLocalUsers list.
ForEach ($specificUser in $ReadOnlyLocalUsers)
{
$user = $specificUser
#set up inheritance to be turned on
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
#set up propagation
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
#since get-acl only can deal with objects, we have to give it an object to start with.
$acl = Get-Acl $path
#setting what type of access we want the user to have.
#FYI, the possible values for $aclType are "ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
#ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles,
#ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions,
#TakeOwnership, Synchronize, FullControl".
$aclType = "ReadAndExecute"
#set up the access rule by creating a new object with the variables set above.
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$user", $aclType, $inherit, $propagation, "Allow")
#now to change the object we borrowed to what we actually want it to be
$acl.AddAccessRule($accessrule)
#now to actualy change the permissions on the path we specified.
set-acl -aclobject $acl $path
}
Friday, August 27, 2010
fix NTFS permissions on website directories using POSH
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment