Solved

Modify ACL Folder,SubFolders,ACL

Posted on 2011-03-15
6
2,207 Views
Last Modified: 2012-05-11
Hi there,

I want to add an ACE to an ACL and propagate the new ACE into each ACL of subobjects. Here is my code:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directory = "$ProgramFiles\Test"
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory

Sadly the new ACE is not set into all ACLs - someboday know why? Its not a permissions issue as I am running teh Script within the security context of an ADM-Account which has FullControl onto the folder, subfolder, files ....

Thx
0
Comment
Question by:ptea
  • 3
6 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 35143163
Not sure if this will work, but since it's now been tagged as "Neglected", I thought I would try this:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directories = gci "$ProgramFiles\Test" -recurse
foreach ($directory in $directories){
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory
}


I don't think we have the entire script here, but this shouldn't be too hard to adapt.

HTH,

Dale Harris
0
 

Author Comment

by:ptea
ID: 35146710
thx for the input - I tried this already and got this error message:

Set-Acl : The security identifier is not allowed to be the owner of this object.

0
 

Author Comment

by:ptea
ID: 35146731
sorry the code you provided me doesn't work at all - but I already tried to do this with an foreach loop and got the error message above. I also tried a piece of code from Chris Dent:

Get-ChildItem "C:\Program Files\Splunk" -recurse | %{
$ACL = Get-ACL $_.FullName
  # un-protect the ACL and remove explicit rules (replacing with parent ACL)
$ACL.SetAccessRuleProtection($False, $False)
Set-ACL $_.FullName -AclObject $ACL
}

Got the same error....
0
 

Accepted Solution

by:
ptea earned 0 total points
ID: 35147454
..I got it:

First set the ownership to the local Administrator, after that it's possible to work with a foreach-loop. Sadly i can't set the ownership to an alternate identity using powershell (not good if you have an issue with quotas...)...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35687977
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question