Solved

Modify ACL Folder,SubFolders,ACL

Posted on 2011-03-15
6
2,220 Views
Last Modified: 2012-05-11
Hi there,

I want to add an ACE to an ACL and propagate the new ACE into each ACL of subobjects. Here is my code:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directory = "$ProgramFiles\Test"
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory

Sadly the new ACE is not set into all ACLs - someboday know why? Its not a permissions issue as I am running teh Script within the security context of an ADM-Account which has FullControl onto the folder, subfolder, files ....

Thx
0
Comment
Question by:ptea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 35143163
Not sure if this will work, but since it's now been tagged as "Neglected", I thought I would try this:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directories = gci "$ProgramFiles\Test" -recurse
foreach ($directory in $directories){
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory
}


I don't think we have the entire script here, but this shouldn't be too hard to adapt.

HTH,

Dale Harris
0
 

Author Comment

by:ptea
ID: 35146710
thx for the input - I tried this already and got this error message:

Set-Acl : The security identifier is not allowed to be the owner of this object.

0
 

Author Comment

by:ptea
ID: 35146731
sorry the code you provided me doesn't work at all - but I already tried to do this with an foreach loop and got the error message above. I also tried a piece of code from Chris Dent:

Get-ChildItem "C:\Program Files\Splunk" -recurse | %{
$ACL = Get-ACL $_.FullName
  # un-protect the ACL and remove explicit rules (replacing with parent ACL)
$ACL.SetAccessRuleProtection($False, $False)
Set-ACL $_.FullName -AclObject $ACL
}

Got the same error....
0
 

Accepted Solution

by:
ptea earned 0 total points
ID: 35147454
..I got it:

First set the ownership to the local Administrator, after that it's possible to work with a foreach-loop. Sadly i can't set the ownership to an alternate identity using powershell (not good if you have an issue with quotas...)...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35687977
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A procedure for exporting installed hotfix details of remote computers using powershell
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question