diff options
| author | Hans-Joachim Kliemeck <git@kliemeck.de> | 2015-10-21 22:43:42 +0200 |
|---|---|---|
| committer | Hans-Joachim Kliemeck <git@kliemeck.de> | 2015-10-21 22:43:42 +0200 |
| commit | b03c7ebfa12c8b2b4877745e20aa286c9e4aa126 (patch) | |
| tree | 43210aed99e2633bf61b20a95df3288cc050098a /windows/win_acl_inheritance.ps1 | |
| parent | 8de49a5deaa2827407183e8680007e922c19b5d6 (diff) | |
| download | ansible-modules-extras-b03c7ebfa12c8b2b4877745e20aa286c9e4aa126.tar.gz | |
introduced state to differentiate between enabled/disabled inheritance. renamed copy to reorganize, since the meaning for inheritance=enabled is different
Diffstat (limited to 'windows/win_acl_inheritance.ps1')
| -rw-r--r-- | windows/win_acl_inheritance.ps1 | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 index 674180e3..35b6809d 100644 --- a/windows/win_acl_inheritance.ps1 +++ b/windows/win_acl_inheritance.ps1 @@ -26,7 +26,8 @@ $result = New-Object PSObject; Set-Attr $result "changed" $false; $path = Get-Attr $params "path" -failifempty $true -$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool +$state = Get-Attr $params "state" "absent" -validateSet "present","absent" -resultobj $result +$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool If (-Not (Test-Path -Path $path)) { Fail-Json $result "$path file or directory does not exist on the host" @@ -34,19 +35,44 @@ If (-Not (Test-Path -Path $path)) { Try { $objACL = Get-ACL $path - $alreadyDisabled = !$objACL.AreAccessRulesProtected + $inheritanceEnabled = !$objACL.AreAccessRulesProtected - If ($copy) { - $objACL.SetAccessRuleProtection($True, $True) - } Else { - $objACL.SetAccessRuleProtection($True, $False) - } + If (($state -eq "present") -And !$inheritanceEnabled) { + If ($reorganize) { + $objACL.SetAccessRuleProtection($True, $True) + } Else { + $objACL.SetAccessRuleProtection($True, $False) + } - If ($alreadyDisabled) { + Set-ACL $path $objACL Set-Attr $result "changed" $true; } + Elseif (($state -eq "absent") -And $inheritanceEnabled) { + # second parameter is ignored if first=$False + $objACL.SetAccessRuleProtection($False, $False) + + If ($reorganize) { + # convert explicit ACE to inherited ACE + ForEach($inheritedRule in $objACL.Access) { + If (!$inheritedRule.IsInherited) { + Continue + } + + ForEach($explicitRrule in $objACL.Access) { + If ($inheritedRule.IsInherited) { + Continue + } - Set-ACL $path $objACL + If (($inheritedRule.FileSystemRights -eq $explicitRrule.FileSystemRights) -And ($inheritedRule.AccessControlType -eq $explicitRrule.AccessControlType) -And ($inheritedRule.IdentityReference -eq $explicitRrule.IdentityReference) -And ($inheritedRule.InheritanceFlags -eq $explicitRrule.InheritanceFlags) -And ($inheritedRule.PropagationFlags -eq $explicitRrule.PropagationFlags)) { + $objACL.RemoveAccessRule($explicitRrule) + } + } + } + } + + Set-ACL $path $objACL + Set-Attr $result "changed" $true; + } } Catch { Fail-Json $result "an error occured when attempting to disable inheritance" |