WindowsPowerShell [Get-Acl / Set-Acl]

So might have guessed with my previous transport post that now I wanted to automated the moving of the logs and database to another drive.

It is nice and simple, you can create a folder on the new drive and change the paths in the EdgeTransport.exe.config and by using Set-TransportServer.

BUT I discovered that some of the folders have specific permissions, mainly for the NetworkService.

So what to do?

Well you can use Get-Acl and the acl list from the source folder, and you can then apply that to the new destination and it works like a dream, except for two gotchas.

1) You can’t have the Network Service as the owner of a folder

2) You need to remove all the permissions on the destination folder and then add the new ones.

 

#1 was quite simple, basically to set the owner of the source folder (oldpath) to be the administrators group and then take a snap shot of the acls and transfer them:

$tmpACL = Get-Acl $OldPath

IF ($tmpACL.owner -MATCH “NT Authority”)
{
#You can’t have any NT Authority groups as an owner.
#replace with administrators
#Reset the Owner and get the permission again
[System.Security.Principal.NTAccount]$newOwner=”Administrators”
$var=get-item $Oldpath
$acl=$var.GetAccessControl()
$acl.SetOwner($NewOwner)
$var.SetAccessControl($acl)
$tmpACL = Get-Acl $OldPath
}

#2 was a challenge.  I was going round and round in circle as I couldn’t remove the premissions on the newfolder.  Then then penny dropped, they are inherited from the folder above, so you need to remove the inheritance.

#Remove inheritance from the folder so you can remove the ACLs
$newAcl.SetAccessRuleProtection($true,$false)
Set-Acl -AclObject $tmpACL -Path $NewPath
$NewAcl = Get-acl $NewPath

And that was it .. cool!

So I created this function.  To use it pass the following:

DoNewFolder -old  -new  -makefldr 1

Enjoy and let me know what you think

 

Function doNewFolder($OldPath,$NewPath, $makefldr)
#Get original ACL and put it on new path
#Create the new folder
{

$makefldr=1 #0=No, 1=Yes

## Parse paramaters (specified as “-paramname paramvalue”)
for($i = 0; $i -lt $args.Length; $i++)
{
switch ($args[$i])
{
“-makefldr”
{
If ($args[$i+1]) {$makefldr = $args[$i+1] ; $i++}
}
“-Old”
{
If ($args[$i+1]) {$OldPath = $args[$i+1] ; $i++}
}
“-new” {
if ($args[$i+1]) {$NewPath = $args[$i+1] ; $i++}
}
}
}

IF ($doDebug) {write-Host $OldPath}
IF ($doDebug) {write-Host $NewPath}
IF ($doDebug) {write-Host $makeFldr}

#Test the OldPath to make sure it actually exists
$tmpErr = “Nothing”
$tmpErr = get-item $oldPath -ErrorAction SilentlyContinue
if ($tmpErr -eq $Null)
{
If ($makefldr = 1) #create folder for newPath of its equal to 1
{
Write-Host “Creating ” $Oldpath
MD $Oldpath -ErrorAction SilentlyContinue | out-Null
}
}

If ($makefldr = 1) #create folder for newPath of its equal to 1
{
Write-Host “C
reating ” $Newpath
MD $Newpath | out-Null
}

$tmpACL = Get-Acl $OldPath

IF ($tmpACL.owner -MATCH “NT Authority”)
{
#You can’t have any NT Authority groups as an owner.
#replace with administrators
#Reset the Owner and get the permission again
[System.Security.Principal.NTAccount]$newOwner=”Administrators”
$var=get-item $Oldpath
$acl=$var.GetAccessControl()
$acl.SetOwner($NewOwner)
$var.SetAccessControl($acl)
$tmpACL = Get-Acl $OldPath
}

#Get the ACLs for the new path
$NewAcl = Get-acl $NewPath

#Remove inheritance from the folder so you can remove the ACLs
$newAcl.SetAccessRuleProtection($true,$false)
Set-Acl -AclObject $tmpACL -Path $NewPath
$NewAcl = Get-acl $NewPath

#Loop the existing ACLs on the NewFolder and remove them
$tmpcnt = $newacl.access.count
for ($i = 0; $i -lt $tmpcnt; $i ++)
{
$NewAcl.RemoveAccessRule($Newacl.Access[0])
}

#Add SDDL from the old path
$NewAcl.SetSecurityDescriptorSddlForm($tmpACL.SDDL)

$tmpAclAccessCount = 0
$tmpAclAccessCount = $tmpACL.Access.count

#Loop the Access Rules from the old path and add them to the new one
for ($i=0; $i -lt $tmpAclAccessCount; $i++)
{
$NewAcl.SetAccessRule($tmpAcl.Access[$i])
}

Set-Acl -AclObject $tmpACL -Path $NewPath
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: