function Set-FileSystemPermission { # This function sets permissions to Administrators and SYSTEM as full control on a specified path param( [Parameter(Mandatory=$true)] [string]$Path, [Parameter(Mandatory=$true)] [string] $Identity, [Parameter(Mandatory=$true)] [ValidateSet("FullControl", "ListDirectory", "ReadAndExecute")] [string] $Permission, [ValidateSet('ContainerInherit, ObjectInherit', 'ContainerInherit','ObjectInherit','None')] $Inheritance = 'ContainerInherit, ObjectInherit', [switch] $BreakInheritance ) try { Get-item $Path | ForEach-Object { $acl = Get-Acl $_ if ($Permission -eq 'ListDirectory') { $inheritance = 'ContainerInherit' } $aclRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Identity, $Permission, $inheritance, 'None', 'Allow') # The first argument is the identity that needs permissions (in this case, administrators) # The second argument specifies the permissions (FullControl means give full control to the file/folder) # The third argument forces the permission to be inherited on the child objects # The fourth argument determines whether the rules should be applied to new files or directories when copying ACLs (it's None, meaning don't change existing permissions) # The fifth argument is the type of permission ("Allow" means give access) # Remove all inherited permissions if ($BreakInheritance){ $acl.SetAccessRuleProtection($true, $false) } $acl.AddAccessRule($aclRule) try { Set-Acl -Path $_ -AclObject $acl } catch { Write-Error "Failed to set permissions for file '$_' with error: $_" } } } catch { Write-Error "Failed to traverse the path '$Path' with error: $_" } } function Translate-SidToNTAccount { param ( # SID [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)] [string] $SID ) # list of the Well-known SIDs https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids $pSID = [System.Security.Principal.SecurityIdentifier]$SID $pSID.Translate([System.Security.Principal.NTAccount]).Value } <# #region folders $nameOrg = 'Zabbix' $nameProduct = 'Agent2' $fOrg = Join-Path $env:ProgramData $nameOrg $fProduct = Join-Path $fOrg $nameProduct $fInstaller = Join-Path $fOrg installer $folder = [ordered]@{ Org = $fOrg Installer = $fInstaller Product = $fProduct Bin = Join-Path $fProduct 'bin' Conf = Join-Path $fProduct 'conf' ConfD = Join-Path (Join-Path $fProduct 'conf') 'zabbix_agent2.d' Tls = Join-Path $fProduct 'tls' Log = Join-Path $fProduct 'log' } Remove-Item -Recurse $fOrg -Force -ErrorAction SilentlyContinue foreach ($thisFolder in $folder.Values) { if (Test-Path $thisFolder) { Write-Verbose ('Path {0} already exists' -f $thisFolder) } else { New-Item -Path $thisFolder -ItemType Directory -ErrorAction Stop } } #endregion # This is the well-known SID for the administrators group $admins = (New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544').Translate([System.Security.Principal.NTAccount]).Value # This is a hard-coded string representing the SYSTEM account name $system = "NT AUTHORITY\SYSTEM" #users $users = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-545').Translate([System.Security.Principal.NTAccount]).Value $admins = Translate-SidToNTAccount S-1-5-32-544 $users = Translate-SidToNTAccount S-1-5-32-545 $system = Translate-SidToNTAccount S-1-5-18 Set-FileSystemPermission -Path $fOrg -Identity $admins -Permission FullControl -BreakInheritance Set-FileSystemPermission -Path $fOrg -Identity $system -Permission FullControl Set-FileSystemPermission -Path $fOrg -Identity $users -Permission ListDirectory Set-FileSystemPermission -Path ($folder['bin']) -Identity $users -Permission ReadAndExecute #>