<#====================================================================

Copyright © 2015, September. Michael Pomfret

Creates the Machine Translation Service

The following updates the local system file permissions.

====================================================================#>

Write-Host “”

Write-Host “===================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the local system…”

Write-Host “===================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\Microsoft\SharePoint

#Full control No

#This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Full control No

#This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

#Full control Yes

#This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $CommonProgramFiles + “\microsoft shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

#Full control Yes

#If this directory or its contents are altered, Web Application provisioning will not function correctly.

$FolderPath = $CommonProgramFiles + “\microsoft shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

#Full control No

#This directory contains setup and run-time tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $CommonProgramFiles +”\microsoft shared\Web Server Extensions\15\LOGS”

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

#Get NTFS permissiongs

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($Rule)

$Acl | Set-Acl $FolderPath

#%windir%\temp

#Full control Yes

#This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations might fail.

$FolderPath = $windir + “\Temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

#Full control No

#This directory is used by SharePoint Server for usage logging. If this directory is modified, usage logging will not function correctly.

#This registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, ‘FullControl’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl