Trying to add Full Control to a few users to a folder in Powershell have the following, runs with no errors but only adds the last "rule" to the folder. What am I doing wrong?
$acl = Get-Acl E:\MyFolder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\john.smith","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Folder-Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item E:\MyFolder).SetAccessControl($acl)
I tried running the exact same code as you like so :
$acl = Get-Acl C:\temp
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("some_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("other_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item C:\Temp).SetAccessControl($acl)
And it added both to my folder so it doesn't seem to be an issue with the code itself, have you checked if maybe the domain and names were correct and that you are authorized to assign such permissions to that user/group?
For references i'm using Powershell version : 5.1.17763.771, and I ran those lines with local accounts and not domain accounts as I don't have access to a domain right now.
You might try the NTFS PowerShell module, it makes things much easier and is quite capable.
A command to add full access would look something like:
Add-NTFSAccess -Path <path> -Account <Account> -AccessRights FullControl -AccessType Allow
Related
I am trying to modify folder ACL through Powershell with following code. First i want to clear ACL and stop inheritance and then add only specific users to it.
This seem working fine, but if i trying to open that folder it gives following error.
What is wrong with the script?
$acl = Get-ACL -Path "c:\mydata"
$acl.SetAccessRuleProtection($True, $False)
$acl | Set-Acl -Path "c:\mydata"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$acl | Set-Acl -Path "c:\mydata"
You are setting an empty ACL, then trying to make changes when you no longer have permissions. Normally, you should be getting an error on the second Set-ACL
$acl | Set-Acl $path
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
Instead, try setting the ACL only once:
$path = 'c:\mydata'
$acl = Get-ACL $path
$rule1 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$rule2 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$acl.AddAccessRule($rule1)
$acl.AddAccessRule($rule2)
# Flush the inherited permissions, and protect your new rules from overwriting by inheritance
$acl.SetAccessRuleProtection($True, $False)
# Output what the new access rules actually look like:
$acl.Access | ft
$acl | Set-Acl $path
If you need to keep the existing permissions, then use $acl.SetAccessRuleProtection($True, $True) instead.
Finally, make sure you're actually logged in as either DBUSER or ADMIN when testing access to the folder.
I am trying to the Domain Admins group to all the file shares on our server with Full Control NTFS permissions, but it seems to lock up and cant proceed at the "$Acl.SetAccessRule($Ar)" line.
This is the code that I have so far:
$shares = Get-SmbShare
foreach($share in $shares) {
$Acl = get-acl $share.Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $share.Path $Acl
}
Does anyone have any ideas why this isnt working? I was able to add Domain Admins to File Share Permissions but cant seem to do the same with NTFS permissions following the same algorithm.
Thanks!
I use PDQ Deploy for deployments and part of an install requires a share and permissions to be set for the engineering team. I made a script successfully however it overwrites what is currently there. I like to the the group. I can't seem to find any real way of doing this.
$acl = get-acl "c:\program files (x86)\Test\"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("manftest", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.setaccessrule($ar)
set-acl "c:\program files (x86)\Test\" $acl
New-SmbShare -Name "Test" -Path "C:\Program Files (x86)\Test" -FullAccess "DOMAIN\manftest"
Have you tried AddAccessRule instead of SetAccessRule ?
https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemsecurity.addaccessrule?view=netframework-4.7.2
if I was you I will try to use icalc.exe
icacls.exe $path /grant "<domain\account>:(OI)(CI)(M)"
I have had a lot of challenges with PowerShell and setting access control lists in the past, and so I resort to using icacls in my PowerShell scripts.
New-Item -Type Directory -Path "C:\MyFolder"
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl -Path "C:\MyFolder" -AclObject $Acl
Hi, when I got the above code and applied it using my own settings - the user account entries are added for the folder but, no Permissions are applied (none ticked)
Can anyone help with why this might be?
Thanks
Your comment describes the following behaviour:
Your PowerShell script succeeds but if you check the permissions with the explorers properties dialog, you will see the following:
This is pretty confusing as a PowerShell query will confirm:
PS> Get-Acl .|fl
Path : Microsoft.PowerShell.Core\FileSystem::D:\temp\myfolder
Owner : clijsters\clijsters
Group : clijsters\Kein
Access : clijsters\NEWUSER Allow FullControl
VORDEFINIERT\Administratoren Allow FullControl
VORDEFINIERT\Administratoren Allow 268435456
NT-AUTORITÄT\SYSTEM Allow FullControl
[...]
Your ACL changed. If you scroll down the list of your checkboxes you will notice, that "Special permissions" is checked and if you click on "Advanced" you will notice, your permissions are set.
EDIT:
As mentioned by #AnsgarWiechers, I missed a part describing why the permissions added with New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow") are listed as Special permissions.
Like described on MSDN, FileSystemAccessRule has 4 constructors, where some accept InheritanceFlags and PropagationFlags (e.g. this one fits your needs). If you use them and define inheritance behaviour, the permissions will show up as normal ones.
Today I was trying to compile ILSpy and encountered AL1078: Error signing assembly which is a permissions issue. An amalgamation of answers is shown.
This powershell script assigns $CurUsr to the token for the currently logged in user and $CurTgt as the folder whose permissions are being altered. Change them as required.
Add permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt
Remove permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt
References:
Manage ACLs
Inheritance
Current User
We have an in-house application that creates a folder, with 8 sub-folders, whenever a new project is started (keeping the same file structure in every folder). Our fileserver sets the security to the top level folder, breaking any specific sub-folder rights.
I'm looking at using aThis System.IO.FileSystemWatcher to automate the PowerShell, once the folders have been created.
The PowerShell I'm looking at using is:
New-Item F:\Engineering Projects\TPS\Documents\ –Type Directory
Get-Acl F:\Engineering Projects\TPS\Documents\ | Format-List
$acl = Get-Acl F:\Engineering Projects\TPS\Documents\
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl F:\Folder $acl
Get-Acl F:\Folder | Format-List
I'm not very experienced with PowerShell, Exchange things being the main area where I've experienced it. Obviously that script is more of a generic starting point for me; my question is, would I run this script multiple times (for each folder requiring specific permissions), or can I incorporate multiple folder permissions within one script?