cEPRSFolderPermissions.psm1
|
enum Ensure { Present Absent } enum Rights { ReadAndExecute Modify FullControl Read Write } enum Access { Allow Deny } [DscResource()] class cEPRSFolderPermissions { [DscProperty(Key)][String] $Path [DscProperty(Key)][String] $Account [DscProperty()] [string] $Rights [DscProperty()] [Ensure] $Ensure [DscProperty()] [string] $Access [DscProperty()] [Bool]$NoInherit = $false [cEPRSFolderPermissions] Get() { $InheritFlag = if($this.NoInherit){ "None" }else{ "ContainerInherit, ObjectInherit" } $DesiredRule = New-Object System.Security.AccessControl.FileSystemAccessRule($this.Account, $this.Rights, $InheritFlag, "None", $this.Access) $CurrentACL = (Get-Item $this.Path).GetAccessControl("Access") $CurrentRules = $CurrentACL.GetAccessRules($true, $false, [System.Security.Principal.NTAccount]) $Match = $CurrentRules |?{ ($DesiredRule.IdentityReference -eq $_.IdentityReference) -and ($DesiredRule.FileSystemRights -eq $_.FileSystemRights) -and ($DesiredRule.AccessControlType -eq $_.AccessControlType) -and ($DesiredRule.InheritanceFlags -eq $_.InheritanceFlags )} $Presence = if($Match){"Present"}else{"Absent"} $output = @{ Ensure = $this.Presence; Path = $this.Path; Account = $this.Account; Rights = $this.Rights; Access = $this.Access; NoInherit = $this.NoInherit; } return $output } [bool] Test() { $InheritFlag = if($this.NoInherit){ "None" }else{ "ContainerInherit, ObjectInherit" } $DesiredRule = New-Object System.Security.AccessControl.FileSystemAccessRule($this.Account, $this.Rights, $InheritFlag, "None", $this.Access) $CurrentACL = (Get-Item $this.Path).GetAccessControl("Access") $CurrentRules = $CurrentACL.GetAccessRules($true, $false, [System.Security.Principal.NTAccount]) $Match = $CurrentRules |?{ ($DesiredRule.IdentityReference -eq $_.IdentityReference) -and ($DesiredRule.FileSystemRights -eq $_.FileSystemRights) -and ($DesiredRule.AccessControlType -eq $_.AccessControlType) -and ($DesiredRule.InheritanceFlags -eq $_.InheritanceFlags )} $Presence = if($Match){"Present"}else{"Absent"} return $Presence -eq $this.Ensure } [void] Set() { $InheritFlag = if($this.NoInherit){ "None" }else{ "ContainerInherit, ObjectInherit" } $DesiredRule = New-Object System.Security.AccessControl.FileSystemAccessRule($this.Account, $this.Rights, $InheritFlag, "None", $this.Access) $CurrentACL = (Get-Item $this.Path).GetAccessControl("Access") if($this.Ensure -eq [Ensure]::Present) { $CurrentACL.AddAccessRule($DesiredRule) Set-Acl $this.Path $CurrentACL } else { $CurrentRules = $CurrentACL.GetAccessRules($true, $false, [System.Security.Principal.NTAccount]) $Match = $CurrentRules |?{ ($DesiredRule.IdentityReference -eq $_.IdentityReference) -and ($DesiredRule.FileSystemRights -eq $_.FileSystemRights) -and ($DesiredRule.AccessControlType -eq $_.AccessControlType) -and ($DesiredRule.InheritanceFlags -eq $_.InheritanceFlags )} $Match | % {[void]$CurrentACL.RemoveAccessRule($_)} Set-Acl $this.Path $CurrentACL } } } |