<#====================================================================

Copyright © 2015, September. Michael Pomfret

The following updates the WSS_WPG file permissions.

====================================================================#>

Write-Host “”

Write-Host “==============================================================================”

Write-Host “SharePoint 2013 – Updating file permissions for the WSS_WPG group…”

Write-Host “==============================================================================”

Write-Host “”

$ProgramFiles = ${env:ProgramFiles}

$CommonProgramFiles = ${env:COMMONPROGRAMFILES}

$Windir = ${env:windir}

$Systemdrive = ${env:systemdrive}

$AllUsersProfile = ${env:AllUsersProfile}

#%AllUsersProfile%\Microsoft\SharePoint

#Read No

#This directory contains the file-system-backed cache of the farm configuration. Processes might fail to start and the administrative actions might fail if this directory is altered or deleted.

$FolderPath = $AllUsersProfile + “\Microsoft\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#C:\Inetpub\wwwroot\wss

#Read, execute No

#This directory (or the corresponding directory under the Inetpub root on the server) is used as the default location for IIS Web sites. SharePoint sites will be unavailable and administrative actions might fail if this directory is altered or deleted, unless custom IIS Web site paths are provided for all IIS Web sites extended with SharePoint 2013.

$FolderPath = “C:\Inetpub\wwwroot\wss”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, “ReadAndExecute, Read”,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0

#Read, execute No

#This directory is the installation location for the SharePoint 2013 binaries and data. It can be changed during installation. All SharePoint 2013 functionality will fail if this directory is removed, altered, or moved after installation. WSS_WPG read and execute permissions are required to enable IIS sites to load SharePoint 2013 binaries.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, “ReadAndExecute, Read”,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\WebServices

# Read No

#This directory is the root directory where back-end Web services are hosted, for example, Excel and Search. The SharePoint 2013 features that depend on these services will fail if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\WebServices”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%ProgramFiles%\Microsoft Office Servers\15.0\Logs

#Read, write Yes

#This directory is the location where the runtime diagnostic logging is generated. Logging functionality will not function properly if this directory is removed or altered.

$FolderPath = $ProgramFiles + “\Microsoft Office Servers\15.0\Logs”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read, Write’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\ADMISAPI

#Read Yes

#This directory contains the SOAP services for Central Administration. If this directory is altered, remote site creation and other methods exposed in the service will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\ADMISAPI”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\CONFIG

#Read Yes

#This directory contains files used to extend IIS Web sites with SharePoint 2013. If this directory or its contents are altered, web application provisioning will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\Microsoft Shared\Web Server Extensions\15\CONFIG”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\LOGS

#Modify No

#This directory contains setup and runtime tracing logs. If the directory is altered, diagnostic logging will not function correctly.

$FolderPath = $COMMONPROGRAMFILES + “\microsoft shared\Web Server Extensions\15\LOGS”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Modify’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\temp

#Read Yes

#This directory is used by platform components on which SharePoint 2013 depends. If the access control list is modified, Web Part rendering, and other deserialization operations may fail.

$FolderPath = $windir + “\Temp”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘InheritOnly’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%windir%\System32\logfiles\SharePoint

#Read No

#This directory is used by SharePoint Server usage logging. If this directory is modified, usage logging will not function correctly.

#The registry key applies only to SharePoint Server.

mkdir ($windir + “\System32\logfiles\SharePoint” ) -force

$FolderPath = $windir + “\System32\logfiles\SharePoint”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl

#%systemdrive%\program files\Microsoft Office Servers\15.0

#Read, execute Not Applicable

#The permission is granted for %systemdrive\program files\Microsoft Office Servers\15 folder on Index servers.

$FolderPath = $systemdrive + “\Program Files\Microsoft Office Servers\15.0”

#Get NTFS permissiongs

$Acl = Get-Acl $FolderPath

#Disable inheritance and clear permissions

$Acl.SetAccessRuleProtection($True, $False)

$Acl = (Get-Item $FolderPath).GetAccessControl(‘Access’)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“WSS_WPG”, ‘Read’,’ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($rule)

Set-Acl -path $FolderPath -AclObject $Acl