FileAclTools

0.1

FileAclTools.psm1

<#
.Synopsis
   Wrapper for ACLs to allow easy setting or resetting.
.DESCRIPTION
   Wrapper for ACLs to allow easy setting or resetting.
.EXAMPLE
   Reset-FolderPermission -Path "c:\temp\path" -ReplaceOwner -ResetInheritance
#>
function Add-FolderAcl
{
    [CmdletBinding()]
    [Alias("Reset-FolderPermission")]
    [OutputType([System.IO.DirectoryInfo])]
    Param
    (
        # Directory to perfom ACL modification (accepts directoryinfo, a string that resolves to a directory, etc).
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        [ValidateScript({Test-Path -Path $_})]
        [System.IO.DirectoryInfo[]]
        $Path,
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=1)]
        [Bool]
        $ReplaceOwner=$true,
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=2)]
        [Bool]
        $AddAdministrators=$true,
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=3)]
        [Bool]
        $AddSystem=$true,
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=4)]
        [Bool]
        $ResetInheritance=$false,
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=4)]
        [Bool]
        $ResetAcl=$false
    )

    Begin
    {
        $AdminsFullControlAce = [System.Security.AccessControl.FileSystemAccessRule]::new(
            [System.Security.Principal.IdentityReference]([System.Security.Principal.SecurityIdentifier]::new("BA")),
            [System.Security.AccessControl.FileSystemRights]::FullControl,
            [System.Security.AccessControl.InheritanceFlags]::ContainerInherit+[System.Security.AccessControl.InheritanceFlags]::ObjectInherit,
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        )
        $SystemFullControlAce = [System.Security.AccessControl.FileSystemAccessRule]::new(
            [System.Security.Principal.IdentityReference]([System.Security.Principal.SecurityIdentifier]::new("SY")),
            [System.Security.AccessControl.FileSystemRights]::FullControl,
            [System.Security.AccessControl.InheritanceFlags]::ContainerInherit+[System.Security.AccessControl.InheritanceFlags]::ObjectInherit,
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        )
    }
    Process
    {
        $Path |
        ForEach-Object {
            $acl = $null
            $acl = Get-Acl -Path $_ 
            If ($acl) {
                If ($ResetAcl) {
                    Write-Verbose "Resetting ACL on `"$_`""
                    $acl.SetAccessRuleProtection($false,$false)
                    $acl.Access | 
                    Where-Object { $_.isinherited -eq $false } |
                    ForEach-Object { $acl.RemoveAccessRule($_) }
                }
                If ($ReplaceOwner) {
                    Write-Verbose "Replacing owner on `"$_`""
                    $acl.SetOwner($Administrators)
                }
                If ($AddAdministrators) {
                    Write-Verbose "Adding full access for BUILTIN\Administrators on `"$_`""
                    $acl.AddAccessRule($AdminsFullControlAce)
                }
                If ($AddSystem) {
                    Write-Verbose "Adding full access for BUILTIN\LocalSystem on `"$_`""
                    $acl.AddAccessRule($SystemFullControlAce)
                }
                If ($ResetInheritance) {
                    Write-Verbose "Resetting inheritance on `"$_`""
                    $acl.SetAccessRuleProtection($false,$false)
                }
            }
            Set-Acl -Path $_ -AclObject $acl
        }

    }
    End
    {
    }
}