Applying ACL Permissions using PowerShell Set-Acl - powershell

New-Item -Type Directory -Path "C:\MyFolder"
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl -Path "C:\MyFolder" -AclObject $Acl
Hi, when I got the above code and applied it using my own settings - the user account entries are added for the folder but, no Permissions are applied (none ticked)
Can anyone help with why this might be?
Thanks

Your comment describes the following behaviour:
Your PowerShell script succeeds but if you check the permissions with the explorers properties dialog, you will see the following:
This is pretty confusing as a PowerShell query will confirm:
PS> Get-Acl .|fl
Path : Microsoft.PowerShell.Core\FileSystem::D:\temp\myfolder
Owner : clijsters\clijsters
Group : clijsters\Kein
Access : clijsters\NEWUSER Allow FullControl
VORDEFINIERT\Administratoren Allow FullControl
VORDEFINIERT\Administratoren Allow 268435456
NT-AUTORITÄT\SYSTEM Allow FullControl
[...]
Your ACL changed. If you scroll down the list of your checkboxes you will notice, that "Special permissions" is checked and if you click on "Advanced" you will notice, your permissions are set.
EDIT:
As mentioned by #AnsgarWiechers, I missed a part describing why the permissions added with New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow") are listed as Special permissions.
Like described on MSDN, FileSystemAccessRule has 4 constructors, where some accept InheritanceFlags and PropagationFlags (e.g. this one fits your needs). If you use them and define inheritance behaviour, the permissions will show up as normal ones.

Today I was trying to compile ILSpy and encountered AL1078: Error signing assembly which is a permissions issue. An amalgamation of answers is shown.
This powershell script assigns $CurUsr to the token for the currently logged in user and $CurTgt as the folder whose permissions are being altered. Change them as required.
Add permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt
Remove permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt
References:
Manage ACLs
Inheritance
Current User

Related

Powershell add multiple users/groups NTFS permissions?

Trying to add Full Control to a few users to a folder in Powershell have the following, runs with no errors but only adds the last "rule" to the folder. What am I doing wrong?
$acl = Get-Acl E:\MyFolder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\john.smith","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Folder-Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item E:\MyFolder).SetAccessControl($acl)
I tried running the exact same code as you like so :
$acl = Get-Acl C:\temp
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("some_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("other_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item C:\Temp).SetAccessControl($acl)
And it added both to my folder so it doesn't seem to be an issue with the code itself, have you checked if maybe the domain and names were correct and that you are authorized to assign such permissions to that user/group?
For references i'm using Powershell version : 5.1.17763.771, and I ran those lines with local accounts and not domain accounts as I don't have access to a domain right now.
You might try the NTFS PowerShell module, it makes things much easier and is quite capable.
A command to add full access would look something like:
Add-NTFSAccess -Path <path> -Account <Account> -AccessRights FullControl -AccessType Allow

Powershell Help: Add "Domain Admins" to NTFS Full Control Permission to all File Shares?

I am trying to the Domain Admins group to all the file shares on our server with Full Control NTFS permissions, but it seems to lock up and cant proceed at the "$Acl.SetAccessRule($Ar)" line.
This is the code that I have so far:
$shares = Get-SmbShare
foreach($share in $shares) {
$Acl = get-acl $share.Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $share.Path $Acl
}
Does anyone have any ideas why this isnt working? I was able to add Domain Admins to File Share Permissions but cant seem to do the same with NTFS permissions following the same algorithm.
Thanks!

To set special permission for registry key of HKCU for SID user in powershell

I need to set special permissions for all logged in users using SID.user of
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\ .png\Userchoice.
I tried the below code snippet but it doesnt seem to work
$path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice"
$Acl = Get-ACL $path
$AccessRule= New-Object System.Security.AccessControl.RegistryAccessRule("user","SpecialPermissions","Allow") -SID $UserProfile.SID
$Acl.SetAccessRule($AccessRule)
Set-Acl $path $Acl
How can we achieve the permission issue to all users ?

Set Share Permissions of all folders in a share based on Security Permissions

So this might be a little complicated.... I have created a script which generates lists of all the people that have Security permissions on a share. The issue is that the share permission to a share will be different than the security permissions. I want to remove all share permissions and set the share permissions to the same people with the same full control as the security permissions.
I need to run this on four different servers so I need a script that will change that. Any ideas or resources?
Edit: After discussion with my colleagues the objective has slightly changed. Now I want to use Set-Acl to basically remove full control from all users EXCEPT one specific group. This shouldn't be too difficult right? I would simply throw a for each share - for each user- if user not in specific group then set acl to remove full control.
How does one remove permissions? I see commands for setting FC but not for removing.
As per your reply, this way removes all the bugs from GET-ACL and SET-ACL so can be used in earlier versions of PowerShell. Once it's removed, you can change this (reference $PERM) to add back on the group you want to retain access. Let me know if you need it tweaking.
$folderpath = "Somefolderpath"
write-Output "Removing inheritance "
$acl = Get-Acl $Folderpath
$acl.SetAccessRuleProtection($True, $True)
$acl | Set-Acl
$acl = Get-Acl $Folderpath
$acl.Access |where {$_.IdentityReference -eq "NT AUTHORITY\Authenticated
Users"} |%{$acl.RemoveAccessRule($_)}
$acl | Set-Acl
If ($?){
Write-Output "Inheritance Removed"
}
write-Output "Set permissions"
$acl = Get-Acl $Folderpath
$perm = "AddGroupHere","FullControl","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule
$perm
$acl.AddAccessRule($accessRule)
$acl | Set-Acl
If ($?){
Write-Output "ACL set"
}

Apply folder permissions to folder contents with PowerShell

I'm applying "Read" permissions to a folder for a certain user. I want them to be able to read notepad files inside.
$Acl = Get-Acl "C:\Test"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Test" $Acl
My code properly applies the read permissions to the folder (I can manually check the "Security tab to see this), but does not grant access to the files inside. Access is denied when "MyUser" tries to open a notepad file.
You need to use another constructor so you can set InheritanceFlags for containers and leaf objects. Try:
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("MyUser","Read","ContainerInherit,ObjectInherit", "None", "Allow")