PowerShell – Registry & File System Access Control Lists (ACL) Creation

#
# File system:
# http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx
#
# Name of the user or group:
$objIdentityReference = [System.Security.Principal.NTAccount]("HOSTNAME\username")
# Rights to assign. List: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights(v=vs.110).aspx
$objFileSystemRights = [System.Security.AccessControl.FileSystemRights]"Read,Write"
# Permission inheritance: None, ContainerInherit, Object Inherit
$objInheritanceFlags = [System.Security.AccessControl.InheritanceFlags]::None
# Propagation of permissions: None, InheritOnly, NoPropagateInherit
$objPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None
# Allow or Deny:
$objAccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
# Create new rule:
$objRule = New-Object System.Security.AccessControl.FileSystemAccessRule ($objIdentityReference, $objFileSystemRights, $objInheritanceFlags, $objPropagationFlags, $objAccessControlType)
$objACL = Get-ACL "C:\TestFolder"
# Add our new rule:
$objACL.AddAccessRule($objRule)
# Set the new permissions:
Set-ACL "C:\Path\To\Folder" $objACL

# Alternatively, create your rule list manually:
$AclRuleList = New-Object System.Security.AccessControl.DirectorySecurity
$AclRuleList.AddAccessRule($objRule)
$AclRuleList.SetOwner([System.Security.Principal.NTAccount]"Administrators")
# http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection(v=vs.110).aspx
$AclRuleList.SetAccessRuleProtection($true,$false) #isProtected,preserveInheritance

#
# Registry:
# http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryaccessrule(v=vs.110).aspx
#
# Name of the user or group:
$objIdentityReference = [System.Security.Principal.NTAccount]("HOSTNAME\username")
# Rights to assign. List: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights(v=vs.110).aspx
$objRegistryRights = [System.Security.AccessControl.RegistryRights]::FullControl
# Permission inheritance: None, ContainerInherit, Object Inherit
$objInheritanceFlags = [System.Security.AccessControl.InheritanceFlags]::None
# Propagation of permissions: None, InheritOnly, NoPropagateInherit
$objPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None
# Allow or Deny:
$objAccessControlType = [System.Security.AccessControl.AccessControlType]::Allow

# Create your new rule:
$objRule = New-Object System.Security.AccessControl.RegistryAccessRule ($objIdentityReference, $objRegistryRights, $objInheritanceFlags, $objPropagationFlags, $objAccessControlType)
$objACL = Get-ACL "HKCU:\TEST"
# Add our new rule:
$objACL.AddAccessRule($objRule)
# Set the new permissions:
Set-ACL "HKCU:\TEST" $objACL

# Alternatively, create your rule list manually:
$AclRuleList = New-Object System.Security.AccessControl.RegistrySecurity
$AclRuleList.AddAccessRule($objRule)
$AclRuleList.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$AclRuleList.SetAccessRuleProtection($true,$false)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s