internal/functions/New-AccessRule.ps1
|
function New-AccessRule { [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")] <# .SYNOPSIS Creates a new FileSystem AccessRule. .DESCRIPTION Creates a new FileSystem AccessRule, which can be added to an Acl. Defaults to: - Modify Permissions - To Object and all children .PARAMETER Name Alias: user, username, samaccountname, alias The name of the user or group that is affected by the rule. .PARAMETER Domain Default: $env:USERDOMAIN The name of the domain that user or group belongs to. .PARAMETER Permission Options: FullControl, ReadOnly, DontTouchMyFolders, Modify Default: Modify ParSet: PreSet The permissions applied to the AccessRule. Choose one of several preconfigured Permission-Sets: - FullControl Allows any action, including changing permissions. - ReadOnly Allows only to read content. - DontTouchMyFolders Allows changing files, but not folders - Modify Allows changing files and folders, but not setting permissions. For more detailed control over permission-levels, see the "Rights" parameter. .PARAMETER Rights ParSet: Custom Alternatively to using a preconfigured permission-set, this parameter allows to freely assign any permission desired. For comfortable use of preconfigured common permissions, see the "Permission" parameter above. .PARAMETER Inheritance Options: None, Files, Folders, All Default: All Defines the kind of objects these permissions are inherited by. .PARAMETER ChildrenOnly Permissions only affect children of the target object, not the object itself. .PARAMETER Deny Creates a deny rule, instead of an allow rule. .EXAMPLE PS C:\> New-AccessRule "Fred" Creates an AccessRule that will allow the user Fred (who is of the same domain as the User executing the command) Modify permissions that are also inherited by all childitems on the item this rule is applied upon. .EXAMPLE PS C:\> Get-Content "C:\Users.txt" | New-AccessRule -Permission ReadOnly For each user in users.txt a new accessrule will be created, each of those will have ReadOnly permissions. .EXAMPLE PS C:\> New-AccessRule "Fred" -Permission "Modify" -ChildrenOnly This will create an AccessRule that will grant modify permissions to Fred, but only to the child items of the folders this rule will be applied to, not to the folders themselves (however, permissions will be granted for the child folders). .NOTES Supported Interfaces: ------------------------ Author: Friedrich Weinmann Company: die netzwerker Computernetze GmbH Created: 18.11.2013 LastChanged: 26.05.2014 Version: 2.0 #> [CmdletBinding( DefaultParameterSetName = "PreSet", SupportsShouldProcess=$True )] [OutputType([System.Security.AccessControl.FileSystemAccessRule])] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [Alias('user', 'username', 'samaccountname', 'alias')] [String[]] $Name, [String] $Domain = $env:USERDOMAIN, [Parameter(ParameterSetName = "PreSet", Position = 1)] [ValidateSet("FullControl", "ReadOnly", "DontTouchMyFolders", "Modify")] [String] $Permission = "Modify", [Parameter(ParameterSetName = "Custom", Position = 1)] [System.Security.AccessControl.FileSystemRights] $Rights = [System.Security.AccessControl.FileSystemRights]::Modify, [ValidateSet("None", "Files", "Folders", "All")] [String] $Inheritance = "All", [switch] $ChildrenOnly, [switch] $Deny ) Begin { # Store the active Parameterset $ParSet = $PSCmdlet.ParameterSetName } Process { foreach ($uname in $Name) { # Set Name $User = $Domain + "\" + $uname # Set Permission Level switch ($ParSet) { "PreSet" { # If one of the preconfigured sets was chosen switch ($Permission.ToLower()) { "fullcontrol" { $FileSystemRights = [System.Security.AccessControl.FileSystemRights]::FullControl } "readonly" { $FileSystemRights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute } "donttouchmyfolders" { $FileSystemRights = @([System.Security.AccessControl.FileSystemRights]::Write) } "modify" { $FileSystemRights = [System.Security.AccessControl.FileSystemRights]::Modify } } } "Custom" { # If custom permissions were entered. $FileSystemRights = $Rights } } # Configure Inheritance switch ($Inheritance.ToLower()) { "none" { $InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]::None } "folders" { $InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit } "files" { $InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit } "all" { $InheritanceFlags = @([System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit) } } # Configure Propagation if ($ChildrenOnly) { $PropagationFlags = [System.Security.AccessControl.PropagationFlags]::InheritOnly } else { $PropagationFlags = [System.Security.AccessControl.PropagationFlags]::None } # Switch between allow and deny if ($Deny) { $AccessControlType = [System.Security.AccessControl.AccessControlType]::Deny } else { $AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow } # Erstellt die Regel if($PSCmdlet.ShouldProcess("Creates a FileSystemAccessRule object to be exported")){ $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType) $Rule } } } End { } } |