Applying Folder Permissions for nested folders

My company uses a network share to place all the customers’ information regarding work we are doing for them in a centralized location.  Each job we do has it’s own folder and each folder has a standardized set of folders.  These folders have information in them that some is available to all users, while some (like financial data) we keep secured.

The structure of the folders looks something like this: (image on the left):


Note the job numbers are different but all the subsequent folders are all the same.  The issue at hand, however, is that the folders need separate security on each of them (or at least different security on each depending on the content of the folders and what management has asked for different groups to have access to.)  So for my example here, lets say we have two groups, group A and group B

Group A has full control over all the folders, and group B has access to all the folders except Drawings and financials.  The challenge, then, it to apply the correct security permissions.  And while my drawing here shows just two folders, my real-life challenge consisted of hundreds of folders like this.

My original attempt was to create a template folder that had all of the correct permissions assigned to it.  I then created a batch file for the end users to run to create a new folder with the correct security pemissions.  The batch file was just a simple running of Robocopy with the /sec switch implemented.


ROBOCOPY \\Souceserver\Share\Template \\Sourceserver\Share\!New /E /SEC

That’s put in a batch file and then the end user, when they start a new job, are supposed to run the batch file and then rename the folder that is created “!New”

The problem is relying on the end users to actually follow procedure is kind of pointless.  They never do it as it is much easier to copy and paste the new folder than to double click a batch file.

So the issue that was presented to me was to apply the correct security consistently through hundreds of folders and multiple companies and various geographical sites and networks.


So my fist thought was some soft of batch script, but that quickly became a nightmare due to the differences in file structure on the server.

I then turned to Powershell.  While I had a minimal experience with powershell, with most of it being in the Exchange version of powershell, I knew of the awesome power of it and figured if anything could apply these permissions correctly it would be powershell.

Off to Google I went.  I found many different solutions on how to assign permissions to a folder, but most of them were in reference to creating a a folder and assigning permissions to the newly created folder.  More specifically, they were usually talking in reference to user folders in the home directory.  I wanted to change permissions on folders that were already existing.

So I broke the problem down into two parts.  The first part was to identify the folders to have their permissions changed and the second part was to actually change the permission.

I decided to create two variables.  The first was the sub-folders I wanted to find and the second was the variable containing the path of the folders including the sub-folders.  So in my example to the left, the first variable would be a static list of the sub-folders I want to change the permissions on (Drawings and Financials.)  The second variable would be the entire path of the folder.  So, again from the example to the left, our path would end up being \\Root\Job1\Financials, \\Root\Job1\Drawings , \\Root\Job2\Financials and \\Root\Job2\Drawings.  I wanted to do it with two variables in case I need to change the name of the sub-folders later on.  And by piping the first variable into the second it made of a nice clean method of making changes relatively easily.

But I am getting a little ahead of myself.

I started by trying to find all the folders in the location that had the name “Financials in them.

$Folders=Get-ChildItem -Filter “Financials” -Recurse -Path “\\Root\Job1\”

This would return hundreds of the following:

Directory: \\root\Job96868\Financials
Mode LastWriteTime Length Name
—- ————- —— —-
d—- 10/18/2013 8:59 AM Contract_PO

Not particularly useful, but I was on the right path in isolating the desired directories.

Looking into the Get-ChildItem a bit more I came up with changing the directory and running the following.

$Folders=Get-ChildItem -Recurse -Filter “Financials”| ?{ $_.PSIsContainer } | Select-Object FullName

Using the ?{$_PSIsContainer} allowed me isolate just the folders with the name “Financials.”  At the first pass, I thought I had it, but unfortunately the “Select-Object FullName” also returned the header FullName@(\\Root\Job1\Financials) which I could not use to apply ACLs to.  Somehow I needed to return only the path name.

Finally I  came up with the following:

$Folders=Get-ChildItem -Recurse -Filter “Financial”| ?{ $_.PSIsContainer } | Select -Expand FullName

This finally would fill the $Folders variable with just the full path of the Financials folder.  Now on to applying the permissions.  This was a matter for creating a loop for each item in the $Folders variable and applying the changes.  In the end, here is what the powershell script looked like:

cd \\Root
$Folders=Get-ChildItem -Recurse -Include $Subfolders | ?{ $_.PSIsContainer } | Select -Expand FullName
$sid = “Group B”
foreach ($i in $Folders) {
$Acl = Get-Acl $i
$acl.SetAccessRuleProtection($False, $True)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($SID,”FullControl”,”ObjectInherit, ContainerInherit”,”None”,”Deny”)
Set-Acl $i $acl

So to explain what is happening here:

  1. Change the directory to the correct share
  2. Create a Variable to include the subfolders that you want to apply the ACL to.
  3. Create the $Folders Variable and populate the variable with the correct file Paths.  Note tht it is including only the folders defines by the $Subfolders variable.
  4. Create a variable for the groups which you want to Apply the permissions for.
  5. Create a loop that applies the ACLs to each “line” in the $Folders variable.
  6. Read the current ACL values into the $Acl variable.
  7. Protect the current ACL values and their inheritance.
  8. Create a $Rule variable to include the permission you want to include for the folder in question
  9. Apply the Permissions/ACL

I then created a ps1 file for this and used task manager to have it run the powershell script every hour so any new folders created will have the correct permissions applied.

Hope this helps!


Android vs. Apple….score one for Android.

I’ve been a fan of Apple since, well, about 2006 when I got my first Macbook Pro.  I know in the “real world” that might not be all that long, but in the IT world that’s a long time.  To put it in perspective, Twitter was still a startup and had yet to exceed 20,000 messages a day on the whole service.  All of my droidcomputers, both at work and and at home, are Apple.  My phones are all Apple.  All my tablets are Apple.  Except two.  I have an HP Touchpad that is mostly retired now and a museum piece and a 1st Gen Samsung Galaxy Tab.  I recently fired up the Galaxy Tab for the first time since July 2013 and found one thing that Android is doing much better than Apple: supporting older devices.

My first iPad, a first Gen 32 GB iPad, was bought about a week after initial release.  But as time has marched on, less and less apps are available for it.  The OS can no longer be updated, and each day, the apps slowly go bye-bye.  Eventually it will only be good for surfing the internet and maybe checking mail.

But imagine my surprise when I fired up my Android tablet to find that, not only did the older Apps work, but apps that I couldn’t get on the Android tablet before were now available.  More to the point, apps that would no longer run on my first gen iPad were now available and running on my first gen Galaxy Tab!  Yikes!

So while Apple has abandoned, for the most part, early devices the Android environment continues to embrace and develop for these golden oldies.

So if longevity is a metric you use to base your decision on which tablet to buy, it looks like Android is the platform for you.


A-ha! A new host!!!

Well, after a long time of really being frustrated by Squarespace and their format and such, I made the leap to WordPress hosted service by GoDaddy.  Thus far, I am really liking the features and such and I really like the price (much, much much cheaper than  SquareSpace.)  I guess the final straw was when Squarespace decided to stop supporting the Squarespace 5 mobile app to force all the end users to version 6.  That part I don’t mind so much, but it was the fact that, in order to get the same features an benefits that I had with squarespace 5 I would have to pay about 20% more.  I understand and can appreciate the need for change, but if you are going to force a long time customer to change you should offer the same benefits at the same price.

And honestly, I know prices go up as a standard practice, but this is one area where that does not hold true necessarily.  In IT, the price of storage and bandwidth go down over time.

And the support has really gone down hill recently,so it was time to say goodbye to SquareSpace and Hello to WordPress.  At least now with WordPress I can take my blog almost wherever I want.  🙂