Fix NTFS Permissions with PowerShell

Do your users have Home Drives or other folders that require special permissions? Has the permission structure on your users' Home Drives ever gotten so out of control that cleaning it up with be an absolute nightmare? Or maybe your organization uses a cloud service such as OneDrive for Business, Google Drive, or something similar that takes care of permissions for you. If your organization hasn't moved to cloud yet, this article is for you. Today we'll discuss how to fix the permission structure of your user's Home Drives in less than a half hour using PowerShell.

Click below to view the full .ps1 on github

FixPermissions.ps1

​There are certainly many ways to go about fixing folder permission structures so feel free to comment if you think we could benefit from knowing another method. This article covers a script that does the following:

• Changing the variables so that the right folders' permissions are edited
• Creating a template folder with the permissions you want
• Applying the permissions of the template folder to all of the folders in a root directory
• Adding an Access Control Rule allowing the user permission to access the folder
• Preventing users from taking ownership of their folder, causing problems later when it's time to archive the folder

To view the whole script in github please click here:
https://github.com/sheridanwendt/powershell/blob/master/HomeDriveCleanup.ps1 

First things first, you'll need to make a template folder that is configured with the desired permissions that should be applied to all of the folders inside the root folder.

Next, we define a function called Set-Permissions and configure it to run on every folder inside of the root folder. We'll go through each step the function performs. 

The first step of the function is to set some variables. The variables are:

$Greeting
Function Set-Permissions{
     $Template = Read-Host "Template Address"
     $TemplateACL = Get-Item "$Template"
     $RootFolder = Read-Host "Root Folder"
     $RootDirectory = Get-ChildItem "$RootFolder" -Directory

The $Greeting is shown to the user each time they run the script to remind them what it does. The $Template variable asks the user of the script for the UNC path of a template folder that has the desired permissions configured that all of the other folders should have. I suggest putting the template folder inside the root folder. The $RootFolder variable is the UNC path to the folder containing all of the folders that you'd like to fix the permissions for, such as your user's Home Drives. Example: If the UNC path to your user folders looks like this: \\FileServer\users\jsmith the UNC path to the root folder is \\FileServer\users. The $Template is the $TemplateACL grabs some detailed properties of the template folder, including the access control list (ACL). The $RootDirectory variable is a list of all of the folders inside of the root folder. 

Now that all of the variables are defined, the next step is a foreach statement. The foreaxh statement in this script performs the following actions on each folder inside of the root folder:

• Gets the path of each folder and assigns it to the $Path variable
• Assigns the current Access Control List (ACL), AKA permissions, of the template folder to the variable $ACL
• Assigns the name of the folder to the variable $Username to be used later
• Creates an Access Rule that grants Modify access to the $Username variable if a user exists with the same username as the name of the folder. If no user exists, an error is given and the script continues. The new Access Rule is assigned to the variable $AR

• The $AR (Access Rule) is added to the $ACL (Access Control List)
• The new ACL is applied to the folder

The code looks like this:

foreach ($SubFolder in $RootDirectory) {
     $Path = $SubFolder.FullName
     $ACL = ($TemplateACL).GetAccessControl('Access')
     $Username = $SubFolder.Name
     $AR = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
     $ACL.AddAccessRule($AR)
     Set-Acl -path $Path -ACLObject $ACL

That’s it! The steps above are competed on every folder in the root folder until they’ve all been updated to your new desired permissions based on the template folder. 

Dependency: The account that runs this script must be able to “change permissions” and “take ownership” for the script to run properly. It may be necessary to grant those permissions to the root folder before running the script if those permissions are not present.