Setting Folder Permissions
There's been a few instances where setting folder permissions has been required and I've found the following useful.
For instructions on how to deploy from MDT (here)
<#
.Synopsis
Change FOLDER permission for Authenticated User
.Description
.Version
#>
#Declares Inheritance
$inherNone = [System.Security.AccessControl.InheritanceFlags]::None
$propNone = [System.Security.AccessControl.PropagationFlags]::None
$inherCnIn = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$propInOn = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$inherObIn = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propNoPr = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit
#Declare Auth User
$user = "Authenticated users"
#Path to Folder
$path = "C:\SomeFolder"
#Return current permissions
(get-acl C:\SomeFolder).Access
#Removes Inheritance
$aclInh = get-acl $path
$aclInh.SetAccessRuleProtection($true,$true)
Set-Acl $path $aclInh
#Remove Permissions
$getAcl = Get-Acl $path
$fileAcc = New-Object System.Security.AccessControl.FileSystemAccessRule("$User","FULL","$inherCnIn ,$inherObIn","None","Allow")
$getAcl.SetAccessRule($fileAcc)
$getAcl.removeAccessRuleAll($fileAcc)
Set-Acl $path $getAcl
#Add Permissions
$getAcl = Get-Acl $path
$fileAcc = New-Object System.Security.AccessControl.FileSystemAccessRule("$user","READ","$inherCnIn,$inherObIn", "None","Allow")
$getAcl.SetAccessRule($fileAcc)
Set-Acl $path $getAcl
#Add a DENY permission
$getAcl = Get-Acl $path
$fileAcc = New-Object System.Security.AccessControl.FileSystemAccessRule("$user","READ","$inherCnIn,$inherObIn","None","deny")
$getAcl.SetAccessRule($fileAcc)
Set-Acl $path $getAcl