3.

6 Renaming Files
The Rename-Item cmdlet enables you to change the name of an object while leaving its content intact. It’s
not possible to move items with the Rename-Item command; for that functionality, you should use the
Move-Item cmdlet as described above.

The following command renames a file:

Rename-Item -Path "\\fs\Shared\temp.txt" -NewName "new_temp.txt"

To rename multiple files at once, use a script like this:

$files = Get-ChildItem -Path C:\Temp #create list of files

foreach ($file in $files)
{
$newFileName=$file.Name.Replace("A","B") #replace "A" with "B"
Rename-Item $file $newFileName
}

3.7 Setting File and Folder Permissions

In order to implement a least-privilege model, which is a best practice for system security, IT security
specialists and system administrators configure NTFS access control lists (ACLs) by adding access control
entries (ACEs) on NTFS file servers. There are both basic and advanced NTFS permissions. You can set each
of the permissions to “Allow” or “Deny”. You can find all these user permissions by running the following
PowerShell script:

[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])

If you’re not familiar with NTFS permissions management, check out this NTFS Permissions
Management Best Practice guide.

The PowerShell set-acl cmdlet is used to change the security descriptor of a specified item, such as a file,
folder or a registry key; in other words, it is used to modify file or folder permissions. The following script sets
the “FullControl” permission to “Allow” for the user “ENTERPRISE\T.Simpson” to the folder “Sales”:

33
 $acl = Get-Acl \\fs1\shared\sales
$AccessRule = New-Object
System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl \\fs1\shared\sales

Note that the SetAccessRule parameter completely overwrites the permissions for a user or group, so you
can change folder permissions using this parameter. If you just want to add permissions, use the
AddAccessRule parameter instead. For instance, the following script adds the “FullControl” permission for
the “ENTERPRISE\J.Carter” user account to the “Accounting” folder:

$acl = Get-Acl \\fs1\shared\Accounting

$AccessRule = New-Object
System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\J.Carter","FullControl","Allow")
$acl.AddAccessRule($AccessRule)
$acl | Set-Acl \\fs1\shared\Accounting

Here are the other permissions you can assign to users or security groups:

Access Right Access Right’s Name in PowerShell

Full Control FullControl

Traverse Folder / Execute File ExecuteFile

List Folder / Read Data ReadData

Read Attributes ReadAttributes

Read Extended Attributes ReadExtendedAttributes

Create Files / Write Data CreateFiles

Create Folders / Append Data AppendData

Write Attributes WriteAttributes

Write Extended Attributes WriteExtendedAttributes

Delete Subfolders and Files DeleteSubdirectoriesAndFiles

Delete Delete

Read Permissions ReadPermissions

Change Permissions ChangePermissions

Take Ownership TakeOwnership

34
There are also sets of basic access rights that can be applied:

Access Rights Set Rights Included in the Set Name of the Set in PowerShell

Read List Folder / Read Data Read

Read Attributes

Read Extended Attributes

Read Permissions

Write Create Files / Write Data Write

Create Folders / Append Data

Write Attributes

Write Extended Attributes

Read and Execute Traverse folder / Execute File ReadAndExecute

List Folder / Read Data

Read Attributes

Read Extended Attributes

Read Permissions

Modify Traverse folder / Execute File Modify

List Folder / Read Data

Read Attributes

Read Extended Attributes

Create Files / Write Data

Create Folders / Append Data

Write Attributes

Write Extended Attributes

Delete

Read Permissions

35
To copy permissions, a user must own both the source and target folders. The following command will copy
the permissions from the “Accounting” folder to the “Sales” folder:

get-acl \\fs1\shared\accounting | Set-Acl \\fs1\shared\sales

If you want to get a list of NTFS permissions via PowerShell, you can follow this easy how-to about
exporting NTFS permissions to CSV.

3.8 Removing User Permissions

To remove permissions, use the RemoveAccessRule parameter. Let’s delete the “Allow FullControl”
permission for T.Simpson to the “Sales” folder:

$acl = Get-Acl \\fs1\shared\sales

$AccessRule = New-Object
System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson","FullControl","Allow")
$acl.RemoveAccessRule($AccessRule)
$acl | Set-Acl \\fs1\shared\sales

Note that RemoveAccessRule deletes only specific permissions. To completely wipe T.Simpson’s
permissions to the “Sales” folder, use the PurgeAccessRules command:

$acl = Get-Acl \\fs1\shared\sales

$usersid = New-Object System.Security.Principal.Ntaccount ("ENTERPRISE\T.Simpson")
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl \\fs1\shared\sales

Note that PurgeAccessRules doesn’t work with a string user name; it works only with SIDs. Therefore, we
used the “Ntaccount” class to convert the user account name from a string into a SID. Also note that
PurgeAccessRules works only with explicit permissions; it does not purge inherited ones.

36
3.9 Enabling and Disabling Permissions Inheritance
NTFS permissions can be either explicit or inherited. Explicit permissions are permissions that are
configured individually, while inherited permissions are inherited from the parent folder. The hierarchy for
permissions is as follows:

Explicit Deny

Explicit Allow

Inherited Deny

Inherited Allow

To manage inheritance, we use the SetAccessRuleProtection method. It has two parameters:

The first parameter is responsible for blocking inheritance from the parent folder. It has two states:
“$true” and “$false”.

The second parameter determines whether the current inherited permissions are retained or removed.
It has the same two states: “$true” and “$false”.

Let’s disable inheritance for the “Sales” folder and delete all inherited permissions as well:

$acl = Get-Acl \\fs1\shared\sales

$acl.SetAccessRuleProtection($true,$false)
$acl | Set-Acl \\fs1\shared\sales

All inherited permissions were removed; only access permissions added explicitly are left.

Let’s revert this change and re-enable inheritance for the “Sales” folder:

$acl = Get-Acl \\fs1\shared\sales

$acl.SetAccessRuleProtection($false,$true)
$acl | Set-Acl \\fs1\shared\sales

37
3.10 Changing File and Folder Ownership
If you want to set an owner for a folder, you need to run the SetOwner method. Let’s make
“ENTERPRISE\J.Carter” the owner of the “Sales” folder:

$acl = Get-Acl \\fs1\shared\sales

$object = New-Object System.Security.Principal.Ntaccount("ENTERPRISE\J.Carter")
$acl.SetOwner($object)
$acl | Set-Acl \\fs1\shared\sales

Notice that we again used the Ntaccount class to convert the user account name from a string into a SID.

Note that the SetOwner method does not enable you to change the owner to any account you want; the
account must have the “Take Ownership”, “Read” and “Change Permissions” rights.

38
4. Automating PowerShell Scripts
Now let’s explore you how to create scheduled tasks using PowerShell scripts and Microsoft Windows Task
Scheduler.

4.1 Creating Scheduled Tasks with PowerShell Scripts

Suppose that each day at 10 AM, we want to execute a PowerShell script that monitors changes to group
membership in an Active Directory site.

In Windows Powershell 2.0 (Windows 7 or Windows Server 2008 R2), to create a scheduled job, you must use
the Task Scheduler module. Install the module by running the Import-Module TaskScheduler command,
and then use the following script to create a task that will execute the PowerShell script named
“GroupMembershipChanges.ps1” daily at 10 AM:

Import-Module TaskScheduler $task = New-Task

$task.Settings.Hidden = $true
Add-TaskAction -Task $task -Path C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
–Arguments “-File C:\Scripts\GroupMembershipChanges.ps1”
Add-TaskTrigger -Task $task -Daily -At “10:00”
Register-ScheduledJob –Name ”Monitor Group Management” -Task $task

Windows PowerShell 3.0 and 4.0 (Windows Server 2012 R2 and above) don’t include the Task Scheduler
module, so this script will not work. Instead, PowerShell 3.0 and 4.0 include new cmdlets for creating
scheduled tasks, New-ScheduledTaskTrigger and Register-ScheduledTask, which make creating a
scheduled task much easier and more convenient. So let’s create a task that will execute our script daily at
10 AM using the system account (SYSTEM), which has elevated privileges:

$Trigger= New-ScheduledTaskTrigger -At 10:00am –Daily # Specify the trigger settings

$User= "NT AUTHORITY\SYSTEM" # Specify the account to run the script
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\PS\StartupScript.ps1"
# Specify what program to run and its parameters
Register-ScheduledTask -TaskName "MonitorGroupMembership" -Trigger $Trigger -User $User
-Action $Action -RunLevel Highest –Force # Specify the name of the task

39
Other trigger options that could be useful in creating new tasks include:

-AtStartup — Triggers the task at Windows startup.

-AtLogon — Triggers the task when the user signs in.

-Once — Triggers the task once. You can set a repetition interval using the –RepetitionInterval parameter.

-Weekly — Triggers the task once a week.

Note that, it is not possible to trigger execution “on an event” using these cmdlets; PowerShell scripts with
“on an event” triggers are much more complicated. However, it is possible to do so with the Task Scheduler
tool, so this is a real disadvantage of using PowerShell rather than Task Scheduler.

4.2 Running PowerShell Scripts with Task Scheduler

Task Scheduler can help you automatically launch a program or PowerShell script at a certain time or when
certain conditions are met. You can also schedule sending emails and even displaying certain messages.

To create a task, open Task Scheduler by pressing “Windows+R” and typing taskschd.msc in the window that
opens. Then take the following steps:

1. Click Create a task and enter a name and description for the new task. To run the program with
administrator privileges, check the Run with the highest privileges box. In our example, we’ll assign a
service account to run the task and run it regardless of whether the user is logged on.

40