KurtDeGreeff · March 7, 2019 12:52
diff --git a/ntfspermissions.ps1 b/ntfspermissions.ps1
 #First, show the script which directory
 $directory = "\\<HOST>\<Dir>\"

 #[Optional!] Inside the directory defined above filter for folders you want to check
 $folders = Get-ChildItem $Directory -Directory | Where-Object { $_.Name -like "XXXX??" }

 #now go through each folder in that directory
 foreach ($folder in $folders)
 {
    Write-Host $folder
    
    #define model AD groups you want to check your folders against
    $test1 = @{ Account = "<domain>\<prefix>_" + $folder + "_read" }
    $test2 = @{ Account = "<domain>\<prefix>_" + $folder + "_write" }
    $test3 = @{ Account = "BUILTIN\Administrators" }
    
    #get that folder's groups
    $groups = Get-NTFSAccess -Path $directory$folder | Select-Object -Property Account
    $counter = 0
        
 	#go through each of the folder's groups and check if they match any of those you have defined above
 	foreach ($group in $groups)
        {
            if ($group.Account -like $test1.Account){
                $counter++}
            elseif ($group.Account -like $test2.Account){
                $counter++}
            elseif ($group.Account -like $test3.Account){
                $counter++}
            else {
                Write-Host "Not a single match"
            }
        }

    #[optional] write to standard output how many groups the folder has   
    Write-Host $counter

    #define what should be done according to each possible scenario
    #scenario 1: the folder has the admin group but is missing his two folder-specific ones
    if ($counter -eq 1) {
    Write-Host "you should add groups!"
    
        #try adding the two missing folder-specific groups
        try {
            Add-NTFSAccess -Path $directory$folder -Account $test1.Account -AccessRights ReadAndExecute -AppliesTo ThisFolderSubfoldersAndFiles
            Add-NTFSAccess -Path $directory$folder -Account $test2.Account -AccessRights Modify -AppliesTo ThisFolderSubfoldersAndFiles
        }
        #in case adding those folder-specific groups doesn't work you want to be notified
 	catch {
            "Oops, something went wrong..."
        }
    }

    #scenario 2: the folder has all three groups, do nothing in that case
    elseif ($counter -eq 3) {
    Write-Host "do nothing"
    }

    #scenario 3: the folder has more or less groups, in that case a closer look is needed
    else {
    Write-Host "Something else should be done here"
    }
 }
	#First, show the script which directory
	$directory = "\\<HOST>\<Dir>\"

	#[Optional!] Inside the directory defined above filter for folders you want to check
	$folders = Get-ChildItem $Directory -Directory \| Where-Object { $_.Name -like "XXXX??" }

	#now go through each folder in that directory
	foreach ($folder in $folders)
	{
	Write-Host $folder

	#define model AD groups you want to check your folders against
	$test1 = @{ Account = "<domain>\<prefix>_" + $folder + "_read" }
	$test2 = @{ Account = "<domain>\<prefix>_" + $folder + "_write" }
	$test3 = @{ Account = "BUILTIN\Administrators" }

	#get that folder's groups
	$groups = Get-NTFSAccess -Path $directory$folder \| Select-Object -Property Account
	$counter = 0

	#go through each of the folder's groups and check if they match any of those you have defined above
	foreach ($group in $groups)
	{
	if ($group.Account -like $test1.Account){
	$counter++}
	elseif ($group.Account -like $test2.Account){
	$counter++}
	elseif ($group.Account -like $test3.Account){
	$counter++}
	else {
	Write-Host "Not a single match"
	}
	}

	#[optional] write to standard output how many groups the folder has
	Write-Host $counter

	#define what should be done according to each possible scenario
	#scenario 1: the folder has the admin group but is missing his two folder-specific ones
	if ($counter -eq 1) {
	Write-Host "you should add groups!"

	#try adding the two missing folder-specific groups
	try {
	Add-NTFSAccess -Path $directory$folder -Account $test1.Account -AccessRights ReadAndExecute -AppliesTo ThisFolderSubfoldersAndFiles
	Add-NTFSAccess -Path $directory$folder -Account $test2.Account -AccessRights Modify -AppliesTo ThisFolderSubfoldersAndFiles
	}
	#in case adding those folder-specific groups doesn't work you want to be notified
	catch {
	"Oops, something went wrong..."
	}
	}

	#scenario 2: the folder has all three groups, do nothing in that case
	elseif ($counter -eq 3) {
	Write-Host "do nothing"
	}

	#scenario 3: the folder has more or less groups, in that case a closer look is needed
	else {
	Write-Host "Something else should be done here"
	}
	}