1

Is there a way to clone a directory's permissions to a file, and then run that file on another server to recreate those permissions on the recreated structure.

I've got a script to create the directories:

New-Item -Path D:\superuser-data -ItemType directory
Net-Item -Path D:\superuser-data\documents -ItemType directory
Net-Item -Path D:\superuser-data\scripts -ItemType directory

I run that script then setup the permissions to the way I want them with AD accounts on Server A.

Then I want the ability to rerun that script on Server B and then run another script on Server B that sets the permissions to match what I did on Server A.

Improve this question
1

1 Answer 1

Reset to default
1

From here: https://seankilleen.com/2015/01/how-to-copy-ACL-Permissions-To-Folders-With-Powershell/

Powershell contains the commands get-acl and set-acl, and you can pipe them together:

Get-Acl -Path C:\Folder1 | Set-Acl -Path C:\Folder2

Those paths can be UNC or other appropriate path methods, so they should be able to work across networks.

Update:

Security Descriptors CAN be copied and stored. The following is not the most efficient process, his is the first time I've even tried doing this, but it is functional.

A few iteratively-refined Google searches brought me here: http://community.idera.com/powershell/powertips/b/tips/posts/replacing-ntfs-permissions-with-sddl-information

And here's the process.

  1. Capture the ACL from the source computer:
    $SDout = get-acl -path (source folder)
  2. Store the SDDL in the clipboard:
    $SDout.GetSecurityDescriptorSddlForm('All') | clip.exe
  3. Paste into Notepad and move to the target computer.
  4. Copy ONLY the single-line SDDL to the clipboard.
  5. Store the source SDDL in a parameter:
    $SDsource = '(paste the source SDDL here)'
  6. Capture the target ACL object in a parameter:
    $SDtarget = get-acl -path (target folder)
  7. Overwrite the target's SDDL with the source's SDDL:
    $SDtarget.SetSecurityDescriptorSddlForm($SDsource)
  8. Write the modified ACL back to the target folder:
    set-acl -Path (target folder) -ACLObject $SDtarget

Checking properties now you should see the target folder has the same permissions as the source folder.

Improve this answer
3
  • Can I store the results of Get-Acl into a file that set-acl can read in?" ` Get-Acl D:\superuser-data\ | Out-File superuser-data.txt cat superuser-data.txt | Set-Acl -Path D:\superuser2-data`
    – Nick
    Commented May 30, 2018 at 19:48
  • The pipe uses PS' object system. Sending get-acl's output to a file loses the object-nature of the information, so you'll have to massage the data either when you export or when you import, or in-between.I tried simply storing the output in a file (out-file) and then importing it into a new varial (get-content) and the syntax was not understood by set-acl.
    – music2myear
    Commented May 30, 2018 at 20:52
  • 1
    Ok, I think I've figured something out. Give me a few minutes to test.
    – music2myear
    Commented May 30, 2018 at 21:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .