?
Solved

Modify ACL Folder,SubFolders,ACL

Posted on 2011-03-15
6
Medium Priority
?
2,228 Views
Last Modified: 2012-05-11
Hi there,

I want to add an ACE to an ACL and propagate the new ACE into each ACL of subobjects. Here is my code:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directory = "$ProgramFiles\Test"
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory

Sadly the new ACE is not set into all ACLs - someboday know why? Its not a permissions issue as I am running teh Script within the security context of an ADM-Account which has FullControl onto the folder, subfolder, files ....

Thx
0
Comment
Question by:ptea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 35143163
Not sure if this will work, but since it's now been tagged as "Neglected", I thought I would try this:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directories = gci "$ProgramFiles\Test" -recurse
foreach ($directory in $directories){
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory
}


I don't think we have the entire script here, but this shouldn't be too hard to adapt.

HTH,

Dale Harris
0
 

Author Comment

by:ptea
ID: 35146710
thx for the input - I tried this already and got this error message:

Set-Acl : The security identifier is not allowed to be the owner of this object.

0
 

Author Comment

by:ptea
ID: 35146731
sorry the code you provided me doesn't work at all - but I already tried to do this with an foreach loop and got the error message above. I also tried a piece of code from Chris Dent:

Get-ChildItem "C:\Program Files\Splunk" -recurse | %{
$ACL = Get-ACL $_.FullName
  # un-protect the ACL and remove explicit rules (replacing with parent ACL)
$ACL.SetAccessRuleProtection($False, $False)
Set-ACL $_.FullName -AclObject $ACL
}

Got the same error....
0
 

Accepted Solution

by:
ptea earned 0 total points
ID: 35147454
..I got it:

First set the ownership to the local Administrator, after that it's possible to work with a foreach-loop. Sadly i can't set the ownership to an alternate identity using powershell (not good if you have an issue with quotas...)...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35687977
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question