Hey guys im trying to rename the ActionCenter.dll via our softwaredeployment software. In order to do that i have to take ownership of the file. By default its owned by TrustedInstaller
The software runs the scripts as a local user "baraInstLocal". The user seems to be deactivated when an installation is not running.
takeown.exe /F "C:\Windows\System32\ActionCenter.dll"
$Acl = Get-Acl "C:\Windows\System32\ActionCenter.dll"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("baraInstLocal","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Windows\System32\ActionCenter.dll" $Acl
Rename-Item "C:\Windows\System32\ActionCenter.dll" "C:\Windows\System32\ActionCenter.dll.backup"
When i run this i either get permission denied or file not found. Seems to be a problem because it is in the Windows Folder. Running the powershell ad admin didnt help.
Is there a way to do it?
Related
I click the right mouse button on my site in the IIS manager and choose 'Edit permissions' and then I click the security tab. There I have the user IUSR with the following permissions: Read & execute, List folder contents, Read. I can also verify this in Powershell using the command Get-Acl <path> |fl , which displays:
Access : NT AUTHORITY\IUSR Allow ReadAndExecute, Synchronize
Now I delete the ACL entry for IUSR completely. I want to set it with a Powershell script, using the following lines:
$path=<path to directory>
$acl = Get-Acl "$path"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\IUSR","ReadAndExecute","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl "$path"
Again verifying with Get-Acl <path> |fl , I shows exactly the same information, as expected. But in the IIS manager, the previously checked rights are not set. Instead 'Special permissions' is checked. When I click on 'Advanced' and pick IUSR from the list, it shows the same permissions have been granted: Read & execute, List folder contents, Read
But my website does not work (the browser throws error: HTTP-Errror 401.3 - Unauthorized). It works only if I grant these permissions in the permissions windows manually. How can I set the required permissions correctly in a Powershell script?
Turning my comment into an answer, this sounds like you need to also specify the Inheritance and Propagation flags for the accessrule, so child objects of the folder inherit the permission.
$AccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\IUSR", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
I Writing a script to automate the deployment of my platform but i cant figure out how to set an app pool to have the permissions with the code i have below it just inserts the text below with the app pool name. I assume this is because this is a frendily name and when you click check names normally it will fetch the correct user but i cant figure out hot to do this in powershell.
function Set_iis_perms {
param (
[parameter(position=0)]
$AppPoolName,
[parameter(position=1)]
$FileName
)
$acl = Get-Acl $FileName
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(("iis apppool\$Apppool_Name"),"Modify","Allow")))
$acl | Set-Acl $FileName
}
Even if someone can point me in the right direction i would be most thankful.
Kind Regards
Dom
Setting ACL via Get/Set-ACL and icacls is a really common thing and covered in many resources. Example(s):
Setting ACL on folder or file using PowerShell
This script will set folder permission on a folder (c:\1 and C:2) and
its sub folder. If the folder does not exist, it will create the
folder, set as shared and add the groups to the folder. Group_Name
has to be replaced with Actual Group.
Application Pool Identities
Setting permissions for ASP.NET application on IIS with
PowerShell
As per this StackOverflow Q&A
How can I add ACL permissions for IIS APPPOOL* accounts via
Powershell?
Set-Acl $directory $acl $user = New-Object
System.Security.Principal.NTAccount("$domain\\$username")
UPDATE: Seems that it won't accept the "IIS APPPOOL\AppPoolName" as an
NTAccount identifier. Now, there are two ways to accomplish what you
are trying to do:
Create a new SID object with the AppPoolIdentities SID and translate
it into an NTAccount, like this:
http://iformattable.blogspot.com/2007/12/convert-sid-to-ntaccount-with.html,
and you should be able to treat it like any other NTAccount object. If
you still want to be able to pass domain/usernames for real accounts,
built in some simple logic that defaults to the AppPool SID if
username is "AweSomeAppPool" and domain is empty, just as an example.
Use PowerShell to invoke icacls.exe, and use it to grant/revoke
whatever permissions you want, like this (first normal icacls form
command prompt, then powershell, notice the difference):
icacls.exe test.txt /grant "IIS AppPool\DefaultAppPool":(OI)(CI)M
cmd /c icacls test.txt /grant "IIS AppPool\DefaultAppPool:(OI)(CI)M"
I currently have to change permissions for all local users on cmd.exe.
So far I have taken the ownership of the file and changed the permissions in the way i need it.
My problem is, that I cant figure out, how to give the ownership back to TrustedIntstaller.
Below you can see the code I worked out so far. It changes the permissions and throws no errors, but after the script ran the owner is still set to System.
Iam using the Powershell App Deployment Toolkit and the script was executed as system-user.
Any help is appreciated. If there are other (better) ways of changing permissions in Windows-Folder please let me know as well.
$acl_old = get-acl "$envSystem32Directory\cmd.exe"
$owner_old = $acl_old.Owner
Execute-Process -Path "takeown.exe" -Parameters "/f C:\windows\system32\cmd.exe"
Execute-Process -Path "icacls.exe" -Parameters "$envSystem32Directory\cmd.exe /grant:r *S-1-2-0:(RX)"
$new_permission = get-acl "$envSystem32Directory\cmd.exe"
$new_owner_object = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$owner_old"
$new_permission.SetOwner($new_owner_object)
set-acl -Path $envSystem32Directory\cmd.exe -AclObject $new_permissions
I found a solution. Mine and boxdogs code are working. But it wasnt complete. In order to be able to restore TrustedInstaller als the owner some DLL and Privileges have to be loaded.
If anyone else is having this issue, here is a solution. After adding the DLL-Load and Privileges to my script it is working.
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/solved-how-to-take-ownership-and-change-permissions-for-blocked-files-and-folders-in-powershell
I want to setup a network share granting READ only permissions to the root, but READ/WRITE permissions to a sub directory within it.
I can do this manually, but I want to be able to do it using PowerShell.
\\myserver\MyShare (READ access here for user TESTUSER)
\\myserver\MyShare\subfolder (READ/WRITE access here for user TESTUSER)
Manual steps in Windows Explorer - open folder properties dialog, "Sharing" tab, "Share..." button, I can then add my user and set the permissions. I can do this to BOTH the root of the network share and the "subfolder".
The closest thing I have managed in PowerShell is the following, which sets up the root only:
New-SmbShare –Name MyShare –Path e:\MyShare -ReadAccess "Domain\TESTUSER"
However, this seems to do the equivalent of the "Advanced sharing" options that appear on the folder properties dialog, which only apply when setting up a NEW network share, and not to folders WITHIN an existing network share. When I run this script, the TESTUSER isn't added to the list of users in the simple "Share..." dialog so there must be another way of setting up the permissions.
My question: How do I setup permissions using PowerShell in the same way Windows does from the "Share..." button on the folder properties?
I'm using Windows Server 2012 R2.
Share permissions apply to shares as a whole, meaning they affect the shared folder and everything it contains. It's not possible to apply different share permissions to a subfolder without publishing that subfolder as a different share, and even then the modified permissions would only become effective when accessing the subfolder through the new share, not when accessing it as a subfolder of the original share.
For fine-grained access control you MUST use filesystem ACLs. However, if the share is defined as read-only via share permissions, the user will be denied write access even if the filesystem ACLs would allow it.
Because of these limitations it's common practice to set share permissions to full control for everyone and do the entire permission handling on the filesystem level. The simplest way of setting file ACLs is still the icacls command:
icacls C:\path\to\shared_folder /grant "DOMAIN\testuser:(CI)(OI)RX"
icacls C:\path\to\shared_folder\subfolder /grant "DOMAIN\testuser:(CI)(OI)M"
You could also use Set-Acl to the same end, but it'd require more code:
function New-Ace($user, $permission) {
New-Object Security.AccessControl.FileSystemAccessRule $user, $permission, 'ContainerInherit, ObjectInherit', 'None', 'Allow'
}
$acl = Get-Acl -LiteralPath 'C:\path\to\shared_folder'
$acl.AddAccessRule((New-Ace 'DOMAIN\testuser' 'ReadOrExecute')
Set-Acl -AclObject $acl -LiteralPath 'C:\path\to\shared_folder'
$acl = Get-Acl -LiteralPath 'C:\path\to\shared_folder\subfolder'
$acl.AddAccessRule((New-Ace 'DOMAIN\testuser' 'Modify'))
Set-Acl -AclObject $acl -LiteralPath 'C:\path\to\shared_folder\subfolder'
By enabling access-based enumeration you can make sure users will only see those folders and files they actually have access to (avoiding confusion from trying to access an object only to get an "access denied" error).
I am trying to share a folder with everyone and using the below command but it is not working.
NET SHARE Movies=C:\foldername "/GRANT:Everyone,FULL"
After runnign this command a message comes 'Movies Shared Successfully' but When i check folder permission it does not show the same.
Can anyone tell me the correct command?
your net share works just fine. To set the folder permissions you need to set the ACL permissions:
$sharepath = "C:\foldername"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
Set-Acl $SharePath $Acl
You will notice that "Everyone" will show up with full access permissions on the security tab of the folder.