Friday, August 27, 2010

fix NTFS permissions on website directories using POSH

#########################################################
#
# Script to Fix web NTFS permissions.
#
# Created Aug 23, 2010
# Bryan Loveless 
#
#
# Requires Powershell 2.0
#
# Change your Execution policy to RemoteSigned if running locally
# by: Set-executionpolicy -executionpolicy RemoteSigned
#
#Prereqs: 
#
#
#based on http://blog.netnerds.net/2007/07/powershell-set-acl-does-not-appear-to-work/
#
########################################################



#the correct permissions on All Tiers (edited) are FC:(usernames went here for documentation)
# RXLR: localmachine\IIS_IUSRS


$whorunsthis = Read-host "Is this a (S)erver (c:\otherplaceIhavethem) or your (L)ocal box (C:\intetorsomething\Websites)? (S/L)"
Write-Host "Also, this script will take a few minutes, give it some time."

if ($whorunsthis -eq "S" )
{$path = "c:\otherplaceIhavethem" }
elseif ($whorunsthis -eq "L")
{$path = "C:\intetorsomething\Websites" }
else
{write-host "you must select S or L" 
Exit}

$fullControlDomainFolks = "user1","abc123","edf456","anotherusername"
$fullControlLocalUsers = "system"
$readOnlyLocalUsers = "IIS_IUSRS"

#now to run through the list of users listed in the $fullControlDomainFolks list.
ForEach ($specificUser in $fullControlDomainFolks)
{
$user = $specificUser
$userdomain = "DomainName"
#set up inheritance to be turned on
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
#set up propagation
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
#since get-acl only can deal with objects, we have to give it an object to start with.
$acl = Get-Acl $path

#setting what type of access we want the user to have.
#FYI, the possible values for $aclType are "ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, 
#ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, 
#ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, 
#TakeOwnership, Synchronize, FullControl".
$aclType = "FullControl"
#set up the access rule by creating a new object with the variables set above.
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$userdomain\$user", $aclType, $inherit, $propagation, "Allow")
#now to change the object we borrowed to what we actually want it to be
$acl.AddAccessRule($accessrule)
#now to actualy change the permissions on the path we specified.
set-acl -aclobject $acl $path
}

#now to run throught he list of users listed in the $fullcontrolLocalUsers list.
ForEach ($specificUser in $fullControlLocalUsers)
{
$user = $specificUser
#set up inheritance to be turned on
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
#set up propagation
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
#since get-acl only can deal with objects, we have to give it an object to start with.
$acl = Get-Acl $path

#setting what type of access we want the user to have.
#FYI, the possible values for $aclType are "ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, 
#ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, 
#ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, 
#TakeOwnership, Synchronize, FullControl".
$aclType = "FullControl"
#set up the access rule by creating a new object with the variables set above.
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$user", $aclType, $inherit, $propagation, "Allow")
#now to change the object we borrowed to what we actually want it to be
$acl.AddAccessRule($accessrule)
#now to actualy change the permissions on the path we specified.
set-acl -aclobject $acl $path
}

#now to run throught he list of users listed in the $ReadOnlyLocalUsers list.
ForEach ($specificUser in $ReadOnlyLocalUsers)
{
$user = $specificUser
#set up inheritance to be turned on
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
#set up propagation
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
#since get-acl only can deal with objects, we have to give it an object to start with.
$acl = Get-Acl $path

#setting what type of access we want the user to have.
#FYI, the possible values for $aclType are "ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, 
#ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, 
#ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, 
#TakeOwnership, Synchronize, FullControl".
$aclType = "ReadAndExecute"
#set up the access rule by creating a new object with the variables set above.
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$user", $aclType, $inherit, $propagation, "Allow")
#now to change the object we borrowed to what we actually want it to be
$acl.AddAccessRule($accessrule)
#now to actualy change the permissions on the path we specified.
set-acl -aclobject $acl $path
}

No comments:

Post a Comment