Contact us on: +44 (0)1432 617 006

The Site Doctor Blog

Footprints in the snow of a warped mind

< Back to Blog

How To: Quickly Set Umbraco File and Folder Permissions with PowerShell

In 2010 I blogged about how to set Umbraco folder permissions using PowerShell. This has been a really handy snippet -but it's always been a bit of a pain when dealing with new servers, remembering where SetFolderPermission.ps1 is, creating missing (old) folders and not setting the permissions on the web.config correctly.

So today I bring you an updated script which is pretty much copy/paste -and it also sets the permissions on the web.config correctly!

The permissions set are as per the current Umbraco File and folder permissions documentation.

All you need to do is replace "## PATH TO YOUR INSTALL HERE##" with the full path to your Umbraco install i.e. "c:\inetpub\wwwroot". I would recommend setting the permissions on the user to the app pool's username or IIS_IUSRS but if you must, use NETWORK SERVICE as a last resort. Enjoy!

Copy/Paste One Line Snippet To Set Umbraco 7 File/Folder Permissions

$Websitefolder="## PATH TO YOUR INSTALL HERE##"; $GrantAccessTo="IIS_IUSRS"; Get-ChildItem -path $Websitefolder | Where { $_.name -eq "App_Code" -or $_.name -eq "App_Data" -or $_.name -eq "Bin" -or $_.name -eq "Config" -or $_.name -eq "Css" -or $_.name -eq "MacroScripts" -or $_.name -eq "Masterpages" -or $_.name -eq "Media" -or $_.name -eq "Scripts" -or $_.name -eq "Umbraco" -or $_.name -eq "Umbraco_client" -or $_.name -eq "UserControls" -or $_.name -eq "Views" -or $_.name -eq "Xslt" -or $_.name -eq "web.config" } | ForEach {$Path = $_.Fullname; $Permission = "Modify"; $GetACL = Get-Acl $Path; if ($_.PSIsContainer){; Write-Host "Is folder, setting InheritanceFlags: $Path" -ForegroundColor Cyan		; $Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"; $Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"; $AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($GrantAccessTo, $Permission, $AllInherit, $Allpropagation, "Allow"); }else{; $AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($GrantAccessTo, $Permission, "Allow"); }; if ($GetACL.Access | Where { $_.IdentityReference -eq $GrantAccessTo}) {; Write-Host "Modifying Permissions For: $GrantAccessTo On: $Path" -ForegroundColor Yellow; $AccessModification = New-Object system.security.AccessControl.AccessControlModification; $AccessModification.value__ = 2; $Modification = $False; $GetACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification) | Out-Null; } else {; Write-Host "Adding Permission: $Permission For: $GrantAccessTo On: $Path"; $GetACL.AddAccessRule($AccessRule); }; Set-Acl -aclobject $GetACL -Path $Path; Write-Host "Permission: $Permission Set For: $GrantAccessTo" -ForegroundColor Green; }

Complete Script

In case you want to see what's going on (or recommend improvements -I'm all ears!) here's a slightly more formatted script

$Websitefolder="## PATH TO YOUR INSTALL HERE##";
$GrantAccessTo="IIS_IUSRS";
Get-ChildItem -path $Websitefolder 
| Where { 
	    $_.name -eq "App_Code" 
	-or $_.name -eq "App_Data" 
	-or $_.name -eq "Bin" 
	-or $_.name -eq "Config" 
	-or $_.name -eq "Css" 
	-or $_.name -eq "MacroScripts" 
	-or $_.name -eq "Masterpages" 
	-or $_.name -eq "Media" 
	-or $_.name -eq "Scripts" 
	-or $_.name -eq "Umbraco" 
	-or $_.name -eq "Umbraco_client" 
	-or $_.name -eq "UserControls" 
	-or $_.name -eq "Views" 
	-or $_.name -eq "Xslt" 
	-or $_.name -eq "web.config" 
} 
| ForEach {
	$Path = $_.Fullname
	$Permission = "Modify"
	$GetACL = Get-Acl $Path

	if ($_.PSIsContainer){
		Write-Host "Is folder, setting InheritanceFlags: $Path" -ForegroundColor Cyan
		
		$Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
		$Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"
		$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($GrantAccessTo, $Permission, $AllInherit, $Allpropagation, "Allow")
	}else{
		$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($GrantAccessTo, $Permission, "Allow")
	}	

	if ($GetACL.Access | Where { $_.IdentityReference -eq $GrantAccessTo}) {
		Write-Host "Modifying Permissions For: $GrantAccessTo On: $Path" -ForegroundColor Yellow

		$AccessModification = New-Object system.security.AccessControl.AccessControlModification
		$AccessModification.value__ = 2
		$Modification = $False
		$GetACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification) | Out-Null
	} else {
		Write-Host "Adding Permission: $Permission For: $GrantAccessTo On: $Path"

		$GetACL.AddAccessRule($AccessRule)
	}

	Set-Acl -aclobject $GetACL -Path $Path

	Write-Host "Permission: $Permission Set For: $GrantAccessTo" -ForegroundColor Green
}

Liked this post? Got a suggestion? Leave a comment