2020 | Scott W. Head  |  Sr. Systems Admin | Certified Microsoft Windows Server Administrator

PowerShell Add Group to ACL

        
        #-------------------------------------------------------------------------------------------------------------
        #--------- Designed to add a SYSTEM group with full access to multiple sub-folders SWH---12/9/2014------------
        #-------------------------------------------------------------------------------------------------------------
        # Test 1) Create a folder called C:\Test with default groups.
        # Create three sub folders within C:\Test called A, B, C.
        # Remove inheritance on folder A and set folder ACL to have Users, System, Domain Admins, Administrators
        # Run the scripts and will see that the inheritence is not altered on A, B or C 
        # The Domain Admins group is added to folders B and C with full control because it did not exist there.
        
        # Test 2) After step 1 is done remove the Domain Admins Group from Folder A that does not have inheritance.
        # Run the script again and the Domain Admins groups is now added to Folder A and does not change any
        # pervious inheritiance settings on A, B or C.
        
        # Can easiy change the name of the group to have it apply a different group to ACL as needed.
        # Like Change "Domain Admins" to "System" throughout the script. And have tested in UNC paths.
        #--------------------------------------------------------------------------------------------------------
        
        #------------Set Parent Folder Name ----------------
       
$FolderList=Get-ChildItem C:\Test
        
        #------------------------Loop through Each Sub Folder Name---------------------------------
     
  foreach ($Folder in $FolderList) {
        
        #------------------Grab ACL on Sub Folder-------------------------
     
  $MyChecker = get-acl "C:\Test\$Folder" | select AccesstoString -ExpandProperty Accesstostring 
        #--------------See if Account Exists on ACL---------------------
     
  if($MyChecker -like "*Domain Admins*")
        {

        #----If Found Then Do Nothing--------- 
       
}
        Else
        {

        # -----------------If User Account Not Found Add to Folder ACL--------------
     
  $acl = Get-Acl "C:\Test\$Folder" 
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Admins","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") 
        $acl.AddAccessRule($rule)
        Set-Acl "C:\Test\$Folder" $acl

        #---------------------------------------------------------------------------
       
Write-Host "Domain Admins Account Was was added to C:\Test\$Folder and Inheritance was not altered"
        }
        }