Many things can be simplified or scripted with Powershell. If you often need to create new folders or shares, you can use Powershell to create the folder, create the corresponding groups for access and also add the groups to the NTFS permissions.
Here is a small example:
# This script creates a folder in the specified path, creates 3 domain locals
# groups (full access, change, read) and assigns the corresponding authorizations
# to the newly created folder
# Written by Frank Zoechling
write-host "Specify the name of the new folder"
write-host ""
write-host "Example:"
write-host " -if only a name is specified, the folder is created in the current path"
write-host " -If a path is specified (d:\test\data\), a new "Data" folder is created under d:\Test"
write-host " created"
write-host ""
$path = read-host "Path"
md $path
$GNread = "dl_"+$path+"_LE"
$GN Full access = "dl_"+$path+"_VZ"
$GNaendern = "dl_"+$path+"_AE"
new-adgroup $GNread -groupscope 0 -Description "Read rights to $path"
new-adgroup $GN full access -groupscope 0 -Description "Full access to $path"
new-adgroup $GNaendern -groupscope 0 -Description "Change rights to $path"
$aclLE = get-acl $path
$arLE = new-object system.security.accesscontrol.filesystemaccessrule("$GNlesen", "ReadandExecute", "Allow")
$aclLE.SetAccessRule($arLE)
set-acl $path $aclLE
$aclVZ = get-acl $path
$arVZ = new-object system.security.accesscontrol.filesystemaccessrule("$GNVollzugriff", "FullControl", "Allow")
$aclVZ.SetAccessRule($arVZ)
set-acl $path $aclVZ
$aclAE = get-acl $path
$arAE = new-object system.security.accesscontrol.filesystemaccessrule("$GNaendern", "Modify", "Allow")
$aclAE.SetAccessRule($arAE)
set-acl $path $aclAE
You can now simply copy the text above into a Powershell script file, for example "create-folder.ps1".
The script then does the following, it creates the specified folder and creates 3 domain local groups in the Active Directory (read, change, full access). Then these 3 groups are attached to the ACL of the folder with the corresponding permissions.
The script can of course be further customized and should only serve as an example.
Before you can execute Powershell scripts you have to execute the following command on the Powershell:
set-executionpolicy remotesigned
Here you can find further information and authorizations and the Powershell:
mal ein bisschen angepasst bzgl anzeigen der berechtigungen und des richtigen pfads
[code]
$path = read-host "Pfad"
md $path
$folder = read-host "Ordner"
md $path"\"$folder
$GNlesen = "fileserver_"+$folder+"_LE"
$GNvollzugriff = "fileserver_"+$folder+"_VZ"
$GNaendern = "fileserver_"+$folder+"_AE"
New-ADGroup –Name "$GNlesen" –groupscope Global -Description "Leserechte auf $folder" –path "OU=FILESERVER_GROUPS,OU=test,DC=ad,DC=test,DC=org"
New-ADGroup –Name "$GNvollzugriff" –groupscope Global -Description "Vollzugriff auf $folder" –path "OU=FILESERVER_GROUPS,OU=test,DC=ad,DC=test,DC=org"
New-ADGroup –Name "$GNaendern" –groupscope Global -Description "Aendernrechte auf $folder" –path "OU=FILESERVER_GROUPS,OU=test,DC=ad,DC=test,DC=org"
$aclLE = get-acl $path"\"$folder
$arLE = new-object system.security.accesscontrol.filesystemaccessrule("$GNlesen","ReadandExecute","ContainerInherit,ObjectInherit", "None", "Allow")
$aclLE.SetAccessRule($arLE)
set-acl $path"\"$folder $aclLE
$aclVZ = get-acl $path"\"$folder
$arVZ = new-object system.security.accesscontrol.filesystemaccessrule("$GNVollzugriff", "FullControl","ContainerInherit,ObjectInherit", "None", "Allow")
$aclVZ.SetAccessRule($arVZ)
set-acl $path"\"$folder $aclVZ
$aclAE = get-acl $path"\"$folder
$arAE = new-object system.security.accesscontrol.filesystemaccessrule("$GNaendern","Modify","ContainerInherit,ObjectInherit", "None", "Allow")
$aclAE.SetAccessRule($arAE)
set-acl $path"\"$folder $aclAE
/code]
Wie müsste das Script angepasst werden das ich nur auf den Ordner selbst bei der Gruppe „Ändern“ eine „löschen verweigert“ setzen kann?
Danke im Voraus für den Tip.
Hi,
schönes Skript. Genau sowas habe ich gesucht. Weißt du vielleicht auch noch den Schalter den ich setzen muss um die Berechtigungen welche ich gesetzt habe auch direkt zu sehen unter Security? so sehe ich momentan nur die Rechte unter den Special permissions.
Danke schonmal im Voraus
VG
Thomas