I’m facing a problem at my workplace which I’m unable to resolve on my own. We have a shared folder where all employees can create files. However, we need to configure the folder so that all newly created files, including those in subfolders, become read-only after each day. The folder is hosted on a Windows 10-based machine.
I’ve found a basic Powershell script that can make all files in a folder read-only:
$folderPath = 'C:\TestFolder'
Get-ChildItem -Path $folderPath -Recurse -File | % { $_.IsReadOnly=$True }`
The Powershell script is executed from an admin account, resulting in only the admin being able to modify the files in the shared folder. This also means that users are unable to edit any files once the script is run each day. The cycle repeats every day, with new files created by users being automatically set to read-only on the following day.
I’m seeking suggestions on how to implement these file permissions using Powershell.
Here’s the algorithm I’ve devised for the script:
- Locate all files in a recursive manner.
- Set them to read-only.
- Remove user access to modify any file found.
- Ensure that users still have access to create new files and view existing ones.
Any suggestions or recommendations on how to improve this algorithm are greatly appreciated!
2 Answers
Introduction
In a company, it’s common to have shared folders where multiple users can create and access files. However, in some cases, it’s necessary to restrict access to those files after a certain period of time. In this blog post, we’ll discuss how to change the permissions of created files using PowerShell.
We’ll explore a scenario where a company has a public folder where users can create files, but those files need to be configured in a way that they become read-only after a certain period of time. We’ll provide a PowerShell script that can be used to accomplish this task.
Locating Files Recursively
The first step in our PowerShell script is to locate all files recursively. We can use the Get-ChildItem cmdlet to achieve this. The cmdlet retrieves all items in a specified location, including files and folders. The -Path parameter specifies the location to search for files, and the -Recurse parameter specifies that the search should be conducted recursively.
$folderPath = 'C:TestFolder'
Get-ChildItem -Path $folderPath -Recurse -File
This command will retrieve all files in the C:TestFolder directory and its subdirectories. The next step is to make these files read-only.
Making Files Read-Only
To make the files read-only, we’ll use the IsReadOnly property of the files retrieved by the Get-ChildItem cmdlet. We’ll set this property to $True for each file.
$folderPath = 'C:TestFolder'
Get-ChildItem -Path $folderPath -Recurse -File | % { $_.IsReadOnly=$True }
The % symbol is an alias for the ForEach-Object cmdlet, which applies a command to each object in a collection. In this case, we’re setting the IsReadOnly property of each file to $True.
Removing User Access to Modify Files
The next step is to remove user access to modify any file found. We can use the Set-Acl cmdlet to accomplish this. The cmdlet sets the access control list (ACL) for a file or directory.
$folderPath = 'C:TestFolder'
$acl = Get-Acl $folderPath
$acl.SetAccessRuleProtection($True, $False)
Get-ChildItem -Path $folderPath -Recurse -File | % { $acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Users", "ReadAndExecute", "Allow"))) }
Set-Acl $folderPath $acl
The first line retrieves the current ACL for the C:TestFolder directory. The second line sets the ACL to be protected, which prevents any new access rules from being added to the ACL. The third line retrieves all files in the C:TestFolder directory and its subdirectories and sets a new access rule for each file. The access rule allows the Users group to read and execute the file but not modify it. The fourth line sets the new ACL for the C:TestFolder directory.
Keeping Access to Create and View Files
Finally, we want to keep access to users to create new files and view current ones. To do this, we’ll set a new access rule that allows the Users group to create and write files in the C:TestFolder directory.
$folderPath = 'C:TestFolder'
$acl = Get-Acl $folderPath
$acl.SetAccessRuleProtection($True, $False)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users", "CreateFiles", "Allow")
$acl.SetAccessRule($accessRule)
Set-Acl $folderPath $acl
The first three lines are the same as before. The fourth line creates a new access rule that allows the Users group to create files in the C:TestFolder directory. The fifth line sets the new access rule for the C:TestFolder directory.
Conclusion
In this blog post, we discussed how to change the permissions of created files using PowerShell. We explored a scenario where a company has a public folder where users can create files, but those files need to become read-only after a certain period of time. We provided a PowerShell script that can be used to accomplish this task.
The script locates all files recursively, makes them read-only, removes user access to modify any file found, and keeps access to users to create new files and view current ones. With this script, a company can ensure that sensitive files are protected while still allowing users to create and access them.
In Powershell, it is possible to specify files that are dated before a certain date by using the following syntax:
Get-ChildItem -Path $folderPath -Recurse -File |
Where-Object CreationTime -lt (get-date).AddDays(-1) |
% { $_.IsReadOnly=$True }
It’s important to also modify the file owner property or their permissions, as the owner typically has the ability to revert permissions back to read/write. You can confirm these changes have taken effect either by using the file explorer interface or by running the command Get-Acl \path\to\file.ext
.