The cNtfsAccessControl module contains DSC resources for NTFS access control management.
You can also download this module from the PowerShell Gallery.
This project is no longer actively maintained.
The cNtfsPermissionEntry DSC resource provides a mechanism to manage NTFS permissions.
Present
(the default value) to ensure they exactly match what is provided through the AccessControlInformation property.
If the AccessControlInformation property is not specified, the default permission entry is used as the reference permission entry.
If this property is set to Absent
and the AccessControlInformation property is not specified, all explicit permissions associated with the specified principal are removed.Allow
or Deny
access to the target item. The default value is Allow
.ReadAndExecute
.None
ThisFolderOnly
ThisFolderSubfoldersAndFiles
(the default value)ThisFolderAndSubfolders
ThisFolderAndFiles
SubfoldersAndFilesOnly
SubfoldersOnly
FilesOnly
$true
to ensure inheritance is limited only to those sub-objects that are immediately subordinate to the target item. The default value is $false
.The cNtfsPermissionsInheritance DSC resource provides a mechanism to manage NTFS permissions inheritance.
$false
to ensure it is disabled. The default value is $true
.$true
to convert inherited permissions into explicit permissions.
The default value is $false
. Note: This property is only valid when the Enabled property is set to $false
.$true
(#14).Special thanks to Scott Matthews (@mrhockeymonkey)!
Absent
. Added an ability to remove specific permission entries.This example shows how to use the cNtfsPermissionEntry DSC resource to assign NTFS permissions.
Configuration Sample_cNtfsPermissionEntry
{
param
(
[Parameter(Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[String]
$Path = (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ([Guid]::NewGuid().Guid))
)
Import-DscResource -ModuleName cNtfsAccessControl
Import-DscResource -ModuleName PSDesiredStateConfiguration
File TestDirectory
{
Ensure = 'Present'
DestinationPath = $Path
Type = 'Directory'
}
# Ensure that a single permission entry is assigned to the local 'Users' group.
cNtfsPermissionEntry PermissionSet1
{
Ensure = 'Present'
Path = $Path
Principal = 'BUILTIN\Users'
AccessControlInformation = @(
cNtfsAccessControlInformation
{
AccessControlType = 'Allow'
FileSystemRights = 'ReadAndExecute'
Inheritance = 'ThisFolderSubfoldersAndFiles'
NoPropagateInherit = $false
}
)
DependsOn = '[File]TestDirectory'
}
# Ensure that multiple permission entries are assigned to the local 'Administrators' group.
cNtfsPermissionEntry PermissionSet2
{
Ensure = 'Present'
Path = $Path
Principal = 'BUILTIN\Administrators'
AccessControlInformation = @(
cNtfsAccessControlInformation
{
AccessControlType = 'Allow'
FileSystemRights = 'Modify'
Inheritance = 'ThisFolderOnly'
NoPropagateInherit = $false
}
cNtfsAccessControlInformation
{
AccessControlType = 'Allow'
FileSystemRights = 'ReadAndExecute'
Inheritance = 'ThisFolderSubfoldersAndFiles'
NoPropagateInherit = $false
}
cNtfsAccessControlInformation
{
AccessControlType = 'Allow'
FileSystemRights = 'AppendData', 'CreateFiles'
Inheritance = 'SubfoldersAndFilesOnly'
NoPropagateInherit = $false
}
)
DependsOn = '[File]TestDirectory'
}
# Ensure that all explicit permissions associated with the 'Authenticated Users' group are removed.
cNtfsPermissionEntry PermissionSet3
{
Ensure = 'Absent'
Path = $Path
Principal = 'NT AUTHORITY\Authenticated Users'
DependsOn = '[File]TestDirectory'
}
}
$OutputPath = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'Sample_cNtfsPermissionEntry'
Sample_cNtfsPermissionEntry -OutputPath $OutputPath
Start-DscConfiguration -Path $OutputPath -Force -Verbose -Wait
This example shows how to use the cNtfsPermissionsInheritance DSC resource to disable NTFS permissions inheritance.
Configuration Sample_cNtfsPermissionsInheritance
{
param
(
[Parameter(Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[String]
$Path = (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ([Guid]::NewGuid().Guid))
)
Import-DscResource -ModuleName cNtfsAccessControl
Import-DscResource -ModuleName PSDesiredStateConfiguration
File TestDirectory
{
Ensure = 'Present'
DestinationPath = $Path
Type = 'Directory'
}
# Disable NTFS permissions inheritance.
cNtfsPermissionsInheritance DisableInheritance
{
Path = $Path
Enabled = $false
PreserveInherited = $true
DependsOn = '[File]TestDirectory'
}
}
$OutputPath = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'Sample_cNtfsPermissionsInheritance'
Sample_cNtfsPermissionsInheritance -OutputPath $OutputPath
Start-DscConfiguration -Path $OutputPath -Force -Verbose -Wait