personal-scripts/Set-AdGroupReadAccessFromCsv.ps1 at main · James-W-Draper/personal-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<#
.SYNOPSIS
Grants read-only NTFS permissions to a specified AD group across multiple folders listed in a CSV.

.DESCRIPTION
This script reads a list of folder paths from a CSV file and applies "Read and Execute" NTFS permissions
to a specified Active Directory group on each folder. It verifies and logs success or failure for each path.

.PARAMETER csvPath
The path to the input CSV file. The CSV must contain a column named 'Consolidated Server path'.

.PARAMETER outputCsvPath
The path to save the output report detailing success/failure and any errors.

.PARAMETER adGroup
The AD group to which permissions will be granted (DOMAIN\GroupName format).

.NOTES
- Requires administrative privileges
- Requires the folder paths to be accessible and writable
#>

# === CONFIGURATION ===
$csvPath = "C:\Scripts\ProjectFolders.csv"                     # <-- Path to the input CSV file
$outputCsvPath = "C:\Scripts\PermissionValidationReport.csv"   # <-- Path for export results
$adGroup = "DOMAIN\GroupName"                                  # <-- Replace with the AD group

# === BEGIN PROCESSING ===
$foldersList = Import-Csv $csvPath
$results = @()

foreach ($entry in $foldersList) {
    $folderPath = $entry.'Consolidated Server path'

    if (-not (Test-Path $folderPath)) {
        Write-Output "Folder does not exist: $folderPath"
        $results += [pscustomobject]@{
            'Folder Path'     = $folderPath
            'AD Group'        = $adGroup
            'Permission Set'  = "Failed"
            'Error Message'   = "Folder does not exist"
        }
        continue
    }

    try {
        $acl = Get-Acl $folderPath

        $permission = New-Object System.Security.AccessControl.FileSystemAccessRule(
            $adGroup,
            "ReadAndExecute",
            "ContainerInherit,ObjectInherit",
            "None",
            "Allow"
        )

        $acl.AddAccessRule($permission)
        Set-Acl -Path $folderPath -AclObject $acl

        # Confirm permission was applied
        $acl = Get-Acl $folderPath
        $permissionApplied = $false

        foreach ($accessRule in $acl.Access) {
            if (
                $accessRule.IdentityReference -eq $adGroup -and
                ($accessRule.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::ReadAndExecute) -ne 0
            ) {
                $permissionApplied = $true
                break
            }
        }

        $results += [pscustomobject]@{
            'Folder Path'     = $folderPath
            'AD Group'        = $adGroup
            'Permission Set'  = if ($permissionApplied) { "Success" } else { "Failed" }
        }

        Write-Output "[$(Get-Date -Format 'HH:mm:ss')] $($permissionApplied ? '✔️' : '❌') $folderPath"

    } catch {
        $results += [pscustomobject]@{
            'Folder Path'     = $folderPath
            'AD Group'        = $adGroup
            'Permission Set'  = "Error"
            'Error Message'   = $_.Exception.Message
            'Stack Trace'     = $_.Exception.StackTrace
        }

        Write-Warning "Error processing folder: $folderPath - $($_.Exception.Message)"
    }
}

# Export results to CSV
$results | Export-Csv -Path $outputCsvPath -NoTypeInformation
Write-Output "`n✅ Permission validation results exported to:`n$outputCsvPath"