One of our Windows servers that has some user folders on it has some pretty screwed up permissions. What I want it for SYSTEM and Domain Admins to have full control of all folders. I want the users to have read only on the top-level folder (which is their home folder) and modify on all subfolders and files. This can easily be accomplished through the GUI, but I can't figure out how to script it.
I'm calling icacls from my PowerShell script, because get-acl and set-acl are a major PITA. If I have to use them, I'm not opposed to it, but I imagine that calling icacls will be easier. This is the relevant code that I have to far:
icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'
icacls.exe $folder /grant 'SYSTEM:(OI)(CI)(F)'
icacls.exe $folder /grant '$domain\domain admins:(OI)(CI)(F)'
As you can see, I'm giving modify to the user for everthing with icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'. I can't figure out how to make that Modify apply only to subfolders and files while granting read-only to the top level folder.
The desired permission structure would look like this (just for clarity):
-Users
--M
---Marra (read only to me)
----Documents (Modify)
----Scripts(Modify)
----Etc (Modify)
What is the right icacls syntax for this, or how can I do it natively in PS with set-acl?
Change the first line of your script to the following to have it apply only to subfolders and files.
Then apply this to the top folder.
Grant inheritable modify permission, and set uninheritable denial to delete the folder itself:
This gives them full rights inside the folder, but they cannot modify the folder itself.
This grants MODIFY access to all files and subdirectories, but not delete access to $folder itself.