Set folder permissions to a folder sub folders and all files inside that

I have a scenario where multiple applications are installing in this same folder *C:\Programs\LMRK*

After installing my application now as a last step I need to give Users --> Full Control permissions to that *C:\Programs\LMKR* folder.

I tested running batch file from out side - NOT WORKED
I tested running this command icacls $myFolder /grant $myADGroup’:(OI)(CI)(F)’ - NOT WORKED

Please let me know what is the best way to give permissions to folders, sub folders and all files underneath it?

Thanks

If you want the permissions to apply to all files and folders withing $myFolder then you should use the /t switch.

icacls reference

You can also change folder permissions using the get-acl/set-acl Powershell commands which I prefer over calling an external tool.

PowerShell – Editing permissions on a file or folder

Thanks for your reply.

I went through the reference links you provided and that was helpful. I decided to go with PowerShell way of setting the permissions.

Is there any PSADT specific function to set folder and file permissions?
If you can give couple of example scripts you created before to set permissions inside the PSADT that helps

Thank you

There aren’t any PSADT specific functions to set file and folder permissions. Here is an example from one of my scripts to set folder permissions:

##If it does not exist create the C:\Program Files\Your Program folder and allow all users.
#Create folder (will continue if folder exists)
$dirYourProgram = "$envProgramFiles\Your Program"
New-Folder -Path $dirYourProgram

#Add User permissions to Epic Games folder.
If (Test-Path $dirYourProgram) {
Write-Log -Message 'Updating ACL for C:\Program Files\Your Program...'
#Define the permission rule we want to add to the File/Folder. In this case add Users and AllowFullControl
$rule=new-object System.Security.AccessControl.FileSystemAccessRule ("BUILTIN\Users","FullControl","ContainerInherit,ObjectInherit","None","Allow")

#Get the existing ACL for the File/Folder we want to change permissions on.
$FolderACL = Get-ACL -Path $dirYourProgram

#Add the new permission rule to the existing File/Folder ACL
$FolderACL.SetAccessRule($rule)

#Set the updated ACL on the File/Folder
Set-ACL -Path $dirYourProgram -AclObject $FolderACL
}

This example will create the folder if it doesnt already exist and add the Users group with full control. If there are existing files/folders in the program folder they will inherit the settings from the parent folder.

Dear gtaylor,

I am looking to log the modify permission applied successfully. Could you please let me know on How to log it once appliced via Set ACL?
On what basis we have to Write-log ? is the below script is correct?

    $folder_to_change = "${env:ProgramFiles(x86)}\ThinkMedia 2.0\"
    If (Test-Path $folder_to_change) {
      Write-Log -Message 'Updating ACL for $folder_to_change...' -Source ${CmdletName} -LogType 'CMTrace'
      $rule=new-object System.Security.AccessControl.FileSystemAccessRule ("BUILTIN\Users","Modify","ContainerInherit,ObjectInherit","None","Allow")
      $FolderACL = Get-ACL -Path $folder_to_change
      $FolderACL.SetAccessRule($rule)
      Set-ACL -Path $folder_to_change -AclObject $FolderACL
      Write-Log -Message 'Updated ACL for $folder_to_change successfully ' -Source ${CmdletName} -LogType 'CMTrace'
    }

I have a specific post on How to Log built-in PowerShell commands (non-PSADT commands)

I don’t have an example for Set-Acl so try the following:

    $folder_to_change = "${env:ProgramFiles(x86)}\ThinkMedia 2.0\"
    If (Test-Path $folder_to_change) {
      Write-Log -Message "Updating ACL for [$folder_to_change]..." -Source ${CmdletName} -LogType 'CMTrace'
      $rule = new-object System.Security.AccessControl.FileSystemAccessRule ("BUILTIN\Users","Modify","ContainerInherit,ObjectInherit","None","Allow")
      $FolderACL = Get-ACL -Path $folder_to_change
      $FolderACL.SetAccessRule($rule)
      Set-ACL -Path $folder_to_change -AclObject $FolderACL -Verbose *>&1 | Out-String | write-log
      Write-Log -Message 'Updated ACL for $folder_to_change successfully ' -Source ${CmdletName} -LogType 'CMTrace'
    }

BTW: PSADT v3.9.x also has a Set-ItemPermission function.

I have tried but couldn’t see permission applied successfully or error message it just says Performing the operation “Set-Acl” on target "C:\Program Files (x86)\ThinkMedia 2.0".* Below PSADT log though the permission were applied successfully upon checking manually

<![LOG[[Post-Installation] :: Updating ACL for [C:\Program Files (x86)\ThinkMedia 2.0]…]LOG]!><time=“09:29:44.831-420” date=“07-05-2023” component=“” context=“NT AUTHORITY\SYSTEM” type=“1” thread=“7352” file=“Deploy-Application.ps1”>
<![LOG[[Post-Installation] :: Performing the operation “Set-Acl” on target "C:\Program Files (x86)\ThinkMedia 2.0".
]LOG]!><time=“09:29:44.893-420” date=“07-05-2023” component=“Deploy-Application” context=“NT AUTHORITY\SYSTEM” type=“1” thread=“7352” file=“Deploy-Application.ps1”>
<![LOG[[Post-Installation] :: Updated ACL for $folder_to_change successfully ]LOG]!><time=“09:29:44.909-420” date=“07-05-2023” component=“” context=“NT AUTHORITY\SYSTEM” type=“1” thread=“7352” file=“Deploy-Application.ps1”>

If you need absolute certainty, you’ll have to use Get-ACL after a small delay, and parse the permissions to see if the change you want is there.

1 Like