I have a new starter script which works fine in Powershell 2.0 but I have had to upgrade to Powershell 3.0 to get some SQL stuff working. However this breaks all the parts of my script that use Set-Acl. Using powershell 2.0 is not an option. Has anyone found a way around this:
My code:
#Set home directory permissions
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$acl = Get-Acl $newfolder
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$username", "FullControl", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
set-acl -aclobject $acl $newfolder
write-host permissions set
#Set home folder owner
$acl = Get-Acl $newfolder;
$domain = "mydomain"
$sid = New-Object System.Security.Principal.NTAccount("$domain\$username");
$acl.SetOwner($sid);
Set-Acl $newfolder $acl;
write-host owner set
Try binding the parameters with a colon.
Example:
Before:set-acl -aclobject $acl $newfolder
After:set-acl -aclobject:$acl -Path:$newfolder
Note:
Use the full path of $newfolder.
set-acl -aclobject:$acl -path:$newfolder.FullName
Explanation: Powershell cmdlets have ordered binding and positioning, using a colon ensures that your value is assigned to the correct parameter, no matter what order or type of object. The .FullName property will prevent a SetSecurityDescriptor error.
In case anyone else stumbles upon this as I did...
I was getting the following error:
Set-Acl : Cannot find path 'C:\WINDOWS\system32\System.Security.AccessControl.DirectorySecurity' because it does not exist.
I had to actually specify the Path and AclObject parameters:
Set-Acl -Path C:\mydir -AclObject $acl
Related
I am trying to use the "default" options in applying folder permissions; by that, I mean that using the "Full Controll, Write, Read, etc" in the 'Properties' for a folder.
The following script works to add the user in, but it applies "Special Permissions" - not the ones with the tick boxes for the ones visible in the properties menu of the folder:
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule ("user","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
What am I doing wrong please?
Specifying inheritance in the FileSystemAccessRule() constructor fixes this, as demonstrated by the modified code below (notice the two new constuctor parameters inserted between "FullControl" and "Allow").
$Acl = Get-Acl "\\R9N2WRN\Share"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl
According to this topic
"when you create a FileSystemAccessRule the way you have, the
InheritanceFlags property is set to None. In the GUI, this
corresponds to an ACE with the Apply To box set to "This Folder Only",
and that type of entry has to be viewed through the Advanced
settings."
I have tested the modification and it works, but of course credit is due to the MVP posting the answer in that topic.
Referring to Gamaliel 's answer: $args is an array of the arguments that are passed into a script at runtime - as such cannot be used the way Gamaliel is using it.
This is actually working:
$myPath = 'C:\whatever.file'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "Domain\User","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl
Another example using PowerShell for set permissions (File / Directory) :
Verify permissions
Get-Acl "C:\file.txt" | fl *
Apply full permissions for everyone
$acl = Get-Acl "C:\file.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\file.txt"
Screenshots:
Hope this helps
In case you need to deal with a lot of folders containing subfolders and other recursive stuff. Small improvement on #Mike L'Angelo:
$mypath = "path_to_folder"
$myacl = Get-Acl $mypath
$myaclentry = "username","FullControl","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force | Set-Acl -AclObject $myacl -Verbose
Verbosity is optional in the last line
This One work for me
$path = "C:\test"
$name = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl "C:\test"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($name,"FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "C:\test"
Get-ChildItem -Path "$path" -Recurse -Force | Set-Acl -aclObject $acl -Verbose
$path = "C:\DemoFolder"
$acl = Get-Acl $path
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$Attribs = $username, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
$AccessRule = New-Object System.Security.AcessControl.FileSystemAccessRule($Attribs)
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $path
Get-ChildItem -Path "$path" -Recourse -Force | Set-Acl -aclObject $acl -Verbose
Im newbie in powershell and trying to figure out a way to set folder permissions for Authenticated Users. I want to remove all permissions for this user except Read&Execute.
I've tried to code below but it doesnt quite give the result I want:
$folder = 'C:\folder'
#remove inheritance
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
#set folder permissions to Read&Execute
$user = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList #([System.Security.Principal.WellKnownSidType]::AuthenticatedUserSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $folder -AclObject $acl
I have a PowerShell script to set up a user's folders with NTFS, Sharing and DFS. All of it works, however I get this message when setting the NTFS rights.
Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified."
At C:\Users\Public\Documents\Scripts\Add-UserFolders.ps1:53 char:1
Code looks like this:
# NTFS Rights
$Acl = (Get-Item $UserFolder).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $UserFolder -AclObject $Acl
$Acl = (Get-Item $ScanFolder).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $ScanFolder -AclObject $Acl
My issue is the the first code block throws the error but the second code block does not even though the format is the same. Running icacls Path\to\folder -verify show no error and the ACL is not modified to add the user object.
This error probably means the ACL is incorrectly ordered and to repair that, you can use my function
Repair-DirectoryPermissions
Next I would advise using Get-Acl
Try:
# create the new access rule
# see: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemaccessrule
$rule = [System.Security.AccessControl.FileSystemAccessRule]::new($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl = Get-Acl -LiteralPath $UserFolder
$Acl.SetAccessRule($rule)
$Acl | Set-Acl -LiteralPath $UserFolder
$Acl = Get-Acl -LiteralPath $ScanFolder
$Acl.SetAccessRule($rule)
$Acl | Set-Acl -LiteralPath $ScanFolder
Get-Acl was the correct way to go, but I did not use the scripts shown above. By running get-acl , I noticed that one object appeared in the wrong place. Looking into the object, I determined that it was not needed and deleted it from the acl and now everything works just fine.
A VERY good explanation of canonical order is here. Using that showed me where the problem was.
Using the following powershell I have set the NTFS Permissions for a folder for full control. For some reason this is only applying to the folder and not its contents. I followed the instructions located here
$username = "exampleuser"
$permissionArgs = "domain\$username", "FullControl", "allow"
$permissionRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permissionArgs
$acl = Get-Acl 'C:\Users\username1\Desktop\TESTING2'
$acl.SetAccessRule($permissionRule)
Set-ACL -Path 'C:\Users\username1\Desktop\TESTING2' -AclObject $acl
When I use CACLS to see the permissions I get the following output. (usernames+domain blurred)
Can anyone advise how to make the first user listed have the same permissions as the last?
You need to include the inheritance parameter while definig the ACL rule like the below one.
$Folderpath='Destination Folder'
$user_account='User Acccount'
$Acl = Get-Acl $Folderpath
$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($user_account, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.Setaccessrule($Ar)
Set-Acl $Folderpath $Acl
Hope this HElps.
I'm trying to add permissions to an existing share. The share has the 4 default permissions on a Windows Server 2012 (creator owner, System...).
When I run the script from my Win7 client it deletes all ntfs-permissions and add only the account from the script. Any ideas???
$folder = Get-Acl "\\win-gv2fnajsqvu\a-og"
$newACL = New-Object System.Security.AccessControl.FileSystemAccessRule("test\user2","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$folder.AddAccessRule($newACL)
Set-Acl "\\win-gv2fnajsqvu\a-og" -aclobject $Folder
It looks like these are inherited properties that are being removed. Try forcing SetAccessRuleProtection to $true for "preserveInheritance" on the $folder object:
$folder = Get-Acl "\\win-gv2fnajsqvu\a-og"
$folder.SetAccessRuleProtection($true, $true)
$newACL = New-Object System.Security.AccessControl.FileSystemAccessRule("test\user2","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$folder.AddAccessRule($newACL)
Set-Acl "\\win-gv2fnajsqvu\a-og" -aclobject $folder