Solved

Modify ACL Folder,SubFolders,ACL

Posted on 2011-03-15
6
2,219 Views
Last Modified: 2012-05-11
Hi there,

I want to add an ACE to an ACL and propagate the new ACE into each ACL of subobjects. Here is my code:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directory = "$ProgramFiles\Test"
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory

Sadly the new ACE is not set into all ACLs - someboday know why? Its not a permissions issue as I am running teh Script within the security context of an ADM-Account which has FullControl onto the folder, subfolder, files ....

Thx
0
Comment
Question by:ptea
  • 3
6 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 35143163
Not sure if this will work, but since it's now been tagged as "Neglected", I thought I would try this:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directories = gci "$ProgramFiles\Test" -recurse
foreach ($directory in $directories){
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory
}


I don't think we have the entire script here, but this shouldn't be too hard to adapt.

HTH,

Dale Harris
0
 

Author Comment

by:ptea
ID: 35146710
thx for the input - I tried this already and got this error message:

Set-Acl : The security identifier is not allowed to be the owner of this object.

0
 

Author Comment

by:ptea
ID: 35146731
sorry the code you provided me doesn't work at all - but I already tried to do this with an foreach loop and got the error message above. I also tried a piece of code from Chris Dent:

Get-ChildItem "C:\Program Files\Splunk" -recurse | %{
$ACL = Get-ACL $_.FullName
  # un-protect the ACL and remove explicit rules (replacing with parent ACL)
$ACL.SetAccessRuleProtection($False, $False)
Set-ACL $_.FullName -AclObject $ACL
}

Got the same error....
0
 

Accepted Solution

by:
ptea earned 0 total points
ID: 35147454
..I got it:

First set the ownership to the local Administrator, after that it's possible to work with a foreach-loop. Sadly i can't set the ownership to an alternate identity using powershell (not good if you have an issue with quotas...)...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35687977
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will help you understand what HashTables are and how to use them in PowerShell.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question