Create ACL groups
Posted: Sat Mar 23, 2024 2:24 pm
I am not an expert
I copied folders from two different servers in different domain .
Unfortunately, the folders on the destination server cannot be reached from the users because the ACL groups copied by robocopy are present in the source domain and cannot be managed at the destination domain.
To solve the problem I should create new local groups (L) at the destination domain and populate them with the correct users (of the source).
The luck thing is that in the destination domain there are "mirror" groups (they have the same name having the same users >>> change only the last suffixs<<<<)
I can get the name of the group by using the name of each foder (present in the destination) and add it in between the 2 fixd suffix.
i.e. if the name of the folder is "financialtax" it can be added in between the two suffix: L. and Write/Read to generate the name group.
“L.financialtax_Write”"
“L.financialtax_Read”
I was trying to create a script that :
1)given a path (folder path) it parses each folders and sub-folder to catch each "folder name" and add it in between standard suffixs by a variable ($FolderName).
L.$FolderName_Write""
L.$FolderName_Read
2) check those groups (if they are present in the destination domain) and if it exists, then add it in the folders ACL groups.
I adapted a script below …but it doesn’t work properly.
It remove the groups present (when created) and replace them with the groups generated by the script instead of add them.
Another issue is the inheritance. The groups present in the parent folder should be propagated within each individual subfolder until the last file (but it does't happen)
-----------------------------
function Set-ACLRecursive {
param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[System.IO.DirectoryInfo]$Folder
)
# get the folder name
$FolderName = $Folder.Name
# Build the name of the groups
$ReadGroupName = "L.$FolderName_Read"
$WriteGroupName = "L.$FolderName_Write"
# get group SID
$ReadGroupSID = (Get-ADGroup $ReadGroupName).SID
$WriteGroupSID = (Get-ADGroup $WriteGroupName).SID
# Imposta i permessi ACL per la cartella
$ACL = Get-Acl -Path $Folder.FullName
$ACL.SetAccessRuleProtection($true, $false) # Rimuove permission
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($ReadGroupSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($WriteGroupSID, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")))
Set-Acl -Path $Folder.FullName -AclObject $ACL
#Set ACL permissions for the sub-folder
foreach ($SubFolder in $Folder.GetDirectories()) {
Set-ACLRecursive $SubFolder
}
}
#Path Root folder
$RootFolder = “C:\path\folder”
#Function call to start scanning
Set-ACLRecursive (Get-Item $RootFolder)
I copied folders from two different servers in different domain .
Unfortunately, the folders on the destination server cannot be reached from the users because the ACL groups copied by robocopy are present in the source domain and cannot be managed at the destination domain.
To solve the problem I should create new local groups (L) at the destination domain and populate them with the correct users (of the source).
The luck thing is that in the destination domain there are "mirror" groups (they have the same name having the same users >>> change only the last suffixs<<<<)
I can get the name of the group by using the name of each foder (present in the destination) and add it in between the 2 fixd suffix.
i.e. if the name of the folder is "financialtax" it can be added in between the two suffix: L. and Write/Read to generate the name group.
“L.financialtax_Write”"
“L.financialtax_Read”
I was trying to create a script that :
1)given a path (folder path) it parses each folders and sub-folder to catch each "folder name" and add it in between standard suffixs by a variable ($FolderName).
L.$FolderName_Write""
L.$FolderName_Read
2) check those groups (if they are present in the destination domain) and if it exists, then add it in the folders ACL groups.
I adapted a script below …but it doesn’t work properly.
It remove the groups present (when created) and replace them with the groups generated by the script instead of add them.
Another issue is the inheritance. The groups present in the parent folder should be propagated within each individual subfolder until the last file (but it does't happen)
-----------------------------
function Set-ACLRecursive {
param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[System.IO.DirectoryInfo]$Folder
)
# get the folder name
$FolderName = $Folder.Name
# Build the name of the groups
$ReadGroupName = "L.$FolderName_Read"
$WriteGroupName = "L.$FolderName_Write"
# get group SID
$ReadGroupSID = (Get-ADGroup $ReadGroupName).SID
$WriteGroupSID = (Get-ADGroup $WriteGroupName).SID
# Imposta i permessi ACL per la cartella
$ACL = Get-Acl -Path $Folder.FullName
$ACL.SetAccessRuleProtection($true, $false) # Rimuove permission
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($ReadGroupSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")))
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($WriteGroupSID, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")))
Set-Acl -Path $Folder.FullName -AclObject $ACL
#Set ACL permissions for the sub-folder
foreach ($SubFolder in $Folder.GetDirectories()) {
Set-ACLRecursive $SubFolder
}
}
#Path Root folder
$RootFolder = “C:\path\folder”
#Function call to start scanning
Set-ACLRecursive (Get-Item $RootFolder)