Im trying to add modify right to bob user from domain, but it is giving only permission and no rights at all and even not inheriting to subfolder to path D:\test, from the script as below:
$Right = [System.Security.AccessControl.FileSystemRights]"Modify"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("domain\bob")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "D:\Test"
$objACL.AddAccessRule($objACE)
Set-ACL "D:\Test" -aclobject $objACL
Where is my mistake ?
Not sure what you mean by "only permission and no rights at all", but the following line is what prevents your ACL from being inherited:
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
Change that line to
$InheritanceFlag = ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
and the ACL should be inherited by the child objects.
Related
I found the following which seems to work for what it is, but I need 2 things changed, and can't figure it out.
$acl = Get-Acl D:\New
$permission = "Everyone","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl D:\New
I need to be able to give "HomeGroup" permission, not "Everyone".
I need this to recurse all folders.
When in doubt, read the documentation. You need to change the identity from "Everyone" to "$env:COMPUTERNAME\HomeGroup" and set the appropriate inheritance and propagation flags.
$identity = "$env:COMPUTERNAME\HomeGroup"
$accessRight = 'Read'
$inheritance = 'ContainerInherit, ObjectInherit'
$propagation = 'None'
$type = 'Allow'
$accessRule = New-Object Security.AccessControl.FileSystemAccessRule (
$identity, $accessRight, $inheritance, $propagation, $type
)
Im trying to create a script to set specific (advanced)access rights to a folder. However i keep running into the same error. And i cannot seem to figure it out, im hoping you guys have a solution for me.
This is the error i get:
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "5". At line:14 char:17
And this is the powershell code that i have:
$folder = "\\netwerk\data\tablet\Test2"
$ReadGroup = "netwerk\ACR_Test2_R"
$WriteGroup = "netwerk\ACR_Test2_RW"
$acl = Get-Acl $folder
$ReadallowString = 'ExecuteFile','ListDirectory','Read','ReadData','ReadAndExecute','ReadExtendedAttributes','ReadPermissions'
$WriteallowString = 'AppendData','CreateDirectories','CreateFiles','DeleteSubdirectoriesAndFiles','ExecuteFile','ListDirectory','Modify','Read','ReadAndExecute','ReadExtendedAttributes','ReadPermissions','Traverse','Write','WriteAttributes','WriteData','WriteExtendedAttributes'
$ReaddenyString = 'Delete','TakeOwnership','ChangePermissions'
$WritedenyString = 'Delete','TakeOwnership','ChangePermissions'
$AllowVar =[System.Security.AccessControl.AccessControlType]::Allow
$DenyVar =[System.Security.AccessControl.AccessControlType]::Deny
$AceAllowRead = New-Object Security.AccessControl.FileSystemAccessRule($ReadGroup, $ReadallowString, $inherit, $propagation, $AllowVar)
$AceAllowWrite = New-Object Security.AccessControl.FileSystemAccessRule($WriteGroup, $WriteallowString, $inherit, $propagation, $AllowVar)
$AceDenyRead = New-Object Security.AccessControl.FileSystemAccessRule($ReadGroup, $ReaddenyString, $inherit, $propagation, $DenyVar)
$AceDenyWrite = New-Object Security.AccessControl.FileSystemAccessRule($WriteGroup, $WritedenyString, $inherit, $propagation, $DenyVar)
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$acl.AddAccessRule($AceAllowRead)
$acl.AddAccessRule($AceDenyRead)
$acl.AddAccessRule($AceAllowWrite)
$acl.AddAccessRule($AceDenyWrite)
Set-Acl $folder $acl
Seems like it trips at the part where i am Creating the FileSystemAccessRule's
I think your issue is with the position of your variable $inherit and $propagation in your script. They should be declared before that you call them.
Try this :
$folder = "\\netwerk\data\tablet\Test2"
$ReadGroup = "netwerk\ACR_Test2_R"
$WriteGroup = "netwerk\ACR_Test2_RW"
$acl = Get-Acl $folder
$ReadallowString = 'ExecuteFile','ListDirectory','Read','ReadData','ReadAndExecute','ReadExtendedAttributes','ReadPermissions'
$WriteallowString = 'AppendData','CreateDirectories','CreateFiles','DeleteSubdirectoriesAndFiles','ExecuteFile','ListDirectory','Modify','Read','ReadAndExecute','ReadExtendedAttributes','ReadPermissions','Traverse','Write','WriteAttributes','WriteData','WriteExtendedAttributes'
$ReaddenyString = 'Delete','TakeOwnership','ChangePermissions'
$WritedenyString = 'Delete','TakeOwnership','ChangePermissions'
$AllowVar =[System.Security.AccessControl.AccessControlType]::Allow
$DenyVar =[System.Security.AccessControl.AccessControlType]::Deny
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$AceAllowRead = New-Object Security.AccessControl.FileSystemAccessRule($ReadGroup, $ReadallowString, $inherit, $propagation, $AllowVar)
$AceAllowWrite = New-Object Security.AccessControl.FileSystemAccessRule($WriteGroup, $WriteallowString, $inherit, $propagation, $AllowVar)
$AceDenyRead = New-Object Security.AccessControl.FileSystemAccessRule($ReadGroup, $ReaddenyString, $inherit, $propagation, $DenyVar)
$AceDenyWrite = New-Object Security.AccessControl.FileSystemAccessRule($WriteGroup, $WritedenyString, $inherit, $propagation, $DenyVar)
$acl.AddAccessRule($AceAllowRead)
$acl.AddAccessRule($AceDenyRead)
$acl.AddAccessRule($AceAllowWrite)
$acl.AddAccessRule($AceDenyWrite)
Set-Acl $folder $acl
I have a CSV file that containts a Folder Name (first 6 characters) and a User Name (rest of characters).
I have to give Full Control Access to each User in His Folder. So I wrote the:
$Doc = import-csv "C:\Temp\ListOfUsers.csv"
foreach ($x in $Doc)
{
$x = ""+ $x
$CPayID = $x.SubString(10,6)
$UserName = $x.SubString(17, $x.Length-18)
$UserPath = "C:\XPAY_FTP_CUST\"+$CPayID
$Acl = Get-Acl $UserPath
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Username","FullControl","ContainerInherit, ObjectInherit","None","Allow")
$Acl.SetAccessRule($Rule)
Set-Acl $UserPath $Acl
}
But I received the following Error for Each User:
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
The Users exist and are locals, I am local administrator, and when I ask for echo the $Username, the $UserPath, and the $Acl I receive correct data.
Please, I need any help.
You might have to specify the username as DOMAIN\user. In case of local users, DOMAIN will be the computer name:
$UserReference = New-Object System.Security.Principal.NTAccount $env:ComputerName,$Username
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserReference,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
Mathias is much, much smarter than I am at this, but I noticed this in your code:
($UserReference,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
Should "ContainerInherit, ObjectInherit" instead be "ContainerInherit", "ObjectInherit"?
I would like this powershell script to create a new directory, and add/assign permissions with a group.
The group is adding, but the permissions are not showing under Properties on the Security tab. If going to Advances security the permissions do show there.
Also, the parent folder permissions are not being removed from the new child folder as desired.
$groups = "DOMAIN\GROUP"
$Perm = "MODIFY"
$Permission = [System.Security.AccessControl.FileSystemRights] $Perm
$AllInherit = [System.Security.AccessControl.InheritanceFlags] "None"
$AllPropagation = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$path = "c:\temp\test"
new-item -path $path -itemtype directory -force
$group = $groups
$GetACL = Get-Acl $Path
$Access = New-Object System.Security.Principal.NTAccount ($group)
$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $perm, $AllInherit, $Allpropagation, "Allow")
$GetACL.SetAccessRule($AccessRule)
SET-ACL -PATH $path $getacl
Here's a function I wrote for a similar purpose:
function Add-AclEntry {
# Adds a new entry to the specified file system object ACL. For
# folders the new permissions are applied recursively.
# Returns: null.
param(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[String]$sPath,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
# Access group (full notation).
[String]$sGroup,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
# List of access rights, comma separated.
[String]$sRights,
[Parameter(Mandatory=$false)]
[ValidateSet("Allow", "Deny")]
[String]$sType = "Allow"
)
$cRights = [System.Security.AccessControl.FileSystemRights]$sRights
$oType = [System.Security.AccessControl.AccessControlType]::$sType
$oGroup = New-Object -TypeName System.Security.Principal.NTAccount($sGroup)
# Inheritance flags: full inheritance.
if ((Get-Item $sPath).PSIsContainer) {
$oInheritanceFlags = (`
[System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
-bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
} else {
$oInheritanceFlags = `
[System.Security.AccessControl.InheritanceFlags]::None
}
$oPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None
# Creating access control entry and adding it to the ACL.
$oAce = New-Object `
-TypeName System.Security.AccessControl.FileSystemAccessRule `
($oGroup, $cRights, $oInheritanceFlags, $oPropagationFlags, $oType)
$oAcl = Get-Acl -Path $sPath
$oAcl.AddAccessRule($oAce)
Set-Acl -Path $sPath -AclObject $oAcl
return $null
}
Example usage (adding Modify permissions for Authenticated Users group):
$sGroup = "NT AUTHORITY\Authenticated Users"
$sRights = "Delete, Read, Traverse, Write"
Add-AclEntry -sPath $sFolder -sGroup $sGroup -sRights $sRights
Hope that helps.
Trying my hand at Powershell and I'm trying to figure out how to add specific permissions to our user account. The code below will add the service account to the folders Security tab, however it will not adjust the permissions. Any idea why?
#variables
$okeeffename = "WCFService"
$domain = "InsideServices.dev.com"
$okeeffedirectory = "d:\webcontent\$domain\$okeeffename"
#create webcontent and application folders
Write-Host "Creating directories" -ForegroundColor Yellow
New-Item -Path $okeeffedirectory -type directory -ErrorAction Stop
#adjust security for folders
$okeefferights = Get-Acl $okeeffedirectory
$read = New-Object system.security.accesscontrol.filesystemaccessrule($useraccount, "Read", "Allow")
$list = New-Object system.security.accesscontrol.filesystemaccessrule($useraccount, "ListDirectory", "Allow")
$readexecute = New-Object system.security.accesscontrol.filesystemaccessrule($useraccount, "ReadAndExecute", "Allow")
$okeefferights.SetAccessRule($read)
$okeefferights.SetAccessRule($list)
$okeefferights.SetAccessRule($readexecute)
Set-Acl -Path $okeeffedirectory -AclObject $okeefferights
Second question: I'm trying to add the following permissions for the service account to the folder. Can someone point out the keyword Powershell uses for the List Folder Contents permission?
EDIT
By toggling the Allow/Deny value for the FileSystemRights I found that each of the specs are only changing the Special Permissions Permission on the folder. Quick screen shot:
This is fairly easy to find out when you know what exactly you are looking for. What you need is a [System.Security.AccessControl.FileSystemRights]. We can find the available rights list by using [enum] as such:
PS C:\windows\system32> [enum]::GetNames([System.Security.AccessControl.FileSystemRights])
ListDirectory
ReadData
WriteData
CreateFiles
CreateDirectories
AppendData
ReadExtendedAttributes
WriteExtendedAttributes
Traverse
ExecuteFile
DeleteSubdirectoriesAndFiles
ReadAttributes
WriteAttributes
Write
Delete
ReadPermissions
Read
ReadAndExecute
Modify
ChangePermissions
TakeOwnership
Synchronize
FullControl
You can create several rights in one object like (this should allow a user read/execute only access to a folder and its' contents):
$Rights = [System.Security.AccessControl.FileSystemRights]"ListDirectory,ReadData,Traverse,ExecuteFile,ReadAttributes,ReadPermissions,Read,ReadAndExecute"
My usual template for setting ACLs is this:
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("Domain\User")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "C:\Temp"
$objACL.AddAccessRule($objACE)
Set-ACL "C:\Temp" $objACL
From that you should be able to manipulate the code to accomplish what you want.
To build an ACE that shows up as "list folder contents" in the "Security" tab you need to combine 5 file system rights:
ListDirectory
ReadAttributes
ReadExtendedAttributes
ReadPermissions
Traverse
and set inheritance to ContainerInherit.
$list = New-Object Security.AccessControl.FileSystemAccessRule($useraccount, 'Traverse,ListDirectory,ReadAttributes,ReadExtendedAttributes,ReadPermissions', 'ContainerInherit', 'None', 'Allow')
the most straightforward way to find out the specific combination of file system rights and inheritance flags for a particular ACE is to create it manually and inspect the result in the Advanced Security Settings: