I am trying to modify folder ACL through Powershell with following code. First i want to clear ACL and stop inheritance and then add only specific users to it.
This seem working fine, but if i trying to open that folder it gives following error.
What is wrong with the script?
$acl = Get-ACL -Path "c:\mydata"
$acl.SetAccessRuleProtection($True, $False)
$acl | Set-Acl -Path "c:\mydata"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$acl | Set-Acl -Path "c:\mydata"
You are setting an empty ACL, then trying to make changes when you no longer have permissions. Normally, you should be getting an error on the second Set-ACL
$acl | Set-Acl $path
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
Instead, try setting the ACL only once:
$path = 'c:\mydata'
$acl = Get-ACL $path
$rule1 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$rule2 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$acl.AddAccessRule($rule1)
$acl.AddAccessRule($rule2)
# Flush the inherited permissions, and protect your new rules from overwriting by inheritance
$acl.SetAccessRuleProtection($True, $False)
# Output what the new access rules actually look like:
$acl.Access | ft
$acl | Set-Acl $path
If you need to keep the existing permissions, then use $acl.SetAccessRuleProtection($True, $True) instead.
Finally, make sure you're actually logged in as either DBUSER or ADMIN when testing access to the folder.
Related
Sorry everyone, for bothering you. Currently I have a command line to enforce user permissions already working on the specified directory but I need your help on how to be able to see the higher level directory when the user accesses it. Because now, when the user accesses normally, he will not see a higher-level directory to access, he must access the available path, so it is very inconvenient. I just need to see the folders to access without editing or see another subfolder inside.
$acl = Get-Acl 'D:\TEST'
$path = "D:\TEST"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("test.ktdv","write","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("test.ktnb","read","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Get-ChildItem -Path "$Path" -Recurse -Force |
Where-Object { ($_.Name -eq 'New Folder' -or $_.Name -eq 'B') } |
Set-Acl -Aclobject $acl -Verbose
I need to set special permissions for all logged in users using SID.user of
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\ .png\Userchoice.
I tried the below code snippet but it doesnt seem to work
$path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice"
$Acl = Get-ACL $path
$AccessRule= New-Object System.Security.AccessControl.RegistryAccessRule("user","SpecialPermissions","Allow") -SID $UserProfile.SID
$Acl.SetAccessRule($AccessRule)
Set-Acl $path $Acl
How can we achieve the permission issue to all users ?
So this might be a little complicated.... I have created a script which generates lists of all the people that have Security permissions on a share. The issue is that the share permission to a share will be different than the security permissions. I want to remove all share permissions and set the share permissions to the same people with the same full control as the security permissions.
I need to run this on four different servers so I need a script that will change that. Any ideas or resources?
Edit: After discussion with my colleagues the objective has slightly changed. Now I want to use Set-Acl to basically remove full control from all users EXCEPT one specific group. This shouldn't be too difficult right? I would simply throw a for each share - for each user- if user not in specific group then set acl to remove full control.
How does one remove permissions? I see commands for setting FC but not for removing.
As per your reply, this way removes all the bugs from GET-ACL and SET-ACL so can be used in earlier versions of PowerShell. Once it's removed, you can change this (reference $PERM) to add back on the group you want to retain access. Let me know if you need it tweaking.
$folderpath = "Somefolderpath"
write-Output "Removing inheritance "
$acl = Get-Acl $Folderpath
$acl.SetAccessRuleProtection($True, $True)
$acl | Set-Acl
$acl = Get-Acl $Folderpath
$acl.Access |where {$_.IdentityReference -eq "NT AUTHORITY\Authenticated
Users"} |%{$acl.RemoveAccessRule($_)}
$acl | Set-Acl
If ($?){
Write-Output "Inheritance Removed"
}
write-Output "Set permissions"
$acl = Get-Acl $Folderpath
$perm = "AddGroupHere","FullControl","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule
$perm
$acl.AddAccessRule($accessRule)
$acl | Set-Acl
If ($?){
Write-Output "ACL set"
}
I have a PowerShell Problem:
My Script gives modify permissions to "user2" to a Folder with Get-Acl and Set Acl.
When I run Set-Acl, I want the standard output to be piped into the logfile. But when I look, the logfile is just empty.
My Code:
$permisions = Get-Acl D:\home\user1\Folder
$accessrule = New-Object System.Security.AccessControl.FileSystemAccessRule ("domain\user2","Modify","Allow")
$permissions.SetAccessrule($accessrule)
Set-Acl -AclObject $permissions -Path "D:\home\user1\Folder" -Verbose | out-file -FilePath $logfile -Append
I also tried with
Set-Acl -AclObject $permissions -Path "D:\home\user1\Folder" -Verbose >>$logfile
But both isn't working.
Add the -Passthru parameter to the Set-Acl cmdlet.
By default, Set-Acl does not generate any output. However, if you use
the Passthru parameter, it generates a security object. The type of
the security object depends on the type of the item.
I am attempting to Set-Acl on a Computer Object in AD. Firstly I get the ACL using:
$acl = (Get-Acl AD:\'CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com').Access
Which gives me all the ACL for that computer object. I then use:
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Computername","FullControl")))
Any pointers in the right direction would be helpful. My aim is to add a computer object to the computer object 'Tester1' and give it Full Access permissions.
ActiveDirectory isn't a filesystem. You must create a new ACE for an AD object as an ActiveDirectoryAccessRule.
$path = "AD:\CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com"
$acl = Get-Acl -Path $path
$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('DOMAIN\Computername','FullControl')
$acl.AddAccessRule($ace)
Set-Acl -Path $path -AclObject $acl
ACE for AD objects you must create with System.DirectoryServices.ActiveDirectoryAccessRule object instead of System.Security.AccessControl.FileSystemAccessRule.
Good description and example is here: Add Object Specific ACEs using Active Directory Powershell