thanks for reading this wall of text anyways.
My scenario:
i have a mega-folder called Projects. Every subfolder is a different project. So, for example, i have Projects\N123456 - New Coca Cola.
Now, the folder N123456blabla has a set of subfolders, each one (or almost) with specific not inherited permissions from the "mother" N123456blabla folder.
Let's suppose that the base folder N123456's access is allowed to a AD group called "internal_users" with specific permissions. There are then some subfolders
SUB-A
SUB-B
SUB-C
SUB-D
SUB-E
etc.
Those subfolders have other subfolders that have other subfolders and so on but let's keep this "clean" in order to better explain the issue. Each SUB folder has specific permissions: for example, SUB-A has the "internal_users" group in read only and the "project_management" group with r/w rights.
Quite common scenario i would say. Now the question.
Let's suppose that i have to add a new group in the parent project folder N123456 called "external_users". This group has to be added also in every subfolder where the "internal_users" group is already in (remember, most subfolders don't inherit permissions) and it should have the same permissions of the already existing "internal_users" group has in that specific folder.
In order not to edit every project folder (and subfolders) permissions manually, is there a way to achieve this in a more or less automated way?
In short the script should query the folder N123456 and subfolders to see if the group "internal_users" is applied somewhere. If it is, it should add to the "affected" folders the "external_users" group with the same permissions that the existing "internal_users" group has in that specific folder. For example, if N123456 parent has "internal_users" in read only, it should add "external_users" in read only. If SUB-B has "internal_users" in r/w it should add "external_users" in r/w. If SUB-C has no group called "internal_users" in, the folder is simply skipped. And so on.
Do you think it can be done somehow?
For new projects this is a non-issue because i changed my template to create the empty structure with an additional "ghost" empty AD group that i then replace with the correct one via icacls editing the SID, but i cannot do this with old projects, because this time i have to add group/groups and not simply replace existing ones.
Edit: one thing I just thought is to export the folders permissions structure into a .csv, then edit the .csv to add the group(s) I need and import it back. But I have no idea in Excel how to mass duplicate only the rows containing a certain text in one column and changing in the meantime the text of one column (the column with the name of the group) of the duplicated rows.
Edit 2: since it’s not possible to to it with icacls (there’s just no way to simply add a group to the exported icacls txt file even knowing the SID) I thought about this:
- I export the permissions structure of the folder and subfolders into a .csv file.
- Now, since I have to go in addition and “luckily” enough the new groups I have to add will have the same permissions of the existing ones, I create a copy of the .csv file.
- I edit the copy by finding and replacing the “internal_users” group with the “external_users” group.
- I copypaste ALL the rows of the copy file into the original file.
- I will then have also a lot of useless duplicate rows but I will use the N++ function to delete them.
- Now I should have a new .csv file with the original permissions plus the new ones.
- In theory all that is left to do is import back the .csv into the original folder.
This leads to a new question: how do I export the folders permissions into a .csv and how can I import the file back after editing, OVERWRITING the actual permissions? I found a lot of ways to export the permissions structure but I didn’t understand well how I can import it back after editing.
It’s still a lot of manual work, but WAY less than editing every single project folder and subfolders one by one.
Thanks!
