Solved

Modify ACL Folder,SubFolders,ACL

Posted on 2011-03-15
6
2,196 Views
Last Modified: 2012-05-11
Hi there,

I want to add an ACE to an ACL and propagate the new ACE into each ACL of subobjects. Here is my code:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directory = "$ProgramFiles\Test"
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory

Sadly the new ACE is not set into all ACLs - someboday know why? Its not a permissions issue as I am running teh Script within the security context of an ADM-Account which has FullControl onto the folder, subfolder, files ....

Thx
0
Comment
Question by:ptea
  • 3
6 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 35143163
Not sure if this will work, but since it's now been tagged as "Neglected", I thought I would try this:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$directories = gci "$ProgramFiles\Test" -recurse
foreach ($directory in $directories){
$acl = Get-ACL $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("$SetUserName", "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($False,$True)
set-acl -aclobject $acl $directory
}


I don't think we have the entire script here, but this shouldn't be too hard to adapt.

HTH,

Dale Harris
0
 

Author Comment

by:ptea
ID: 35146710
thx for the input - I tried this already and got this error message:

Set-Acl : The security identifier is not allowed to be the owner of this object.

0
 

Author Comment

by:ptea
ID: 35146731
sorry the code you provided me doesn't work at all - but I already tried to do this with an foreach loop and got the error message above. I also tried a piece of code from Chris Dent:

Get-ChildItem "C:\Program Files\Splunk" -recurse | %{
$ACL = Get-ACL $_.FullName
  # un-protect the ACL and remove explicit rules (replacing with parent ACL)
$ACL.SetAccessRuleProtection($False, $False)
Set-ACL $_.FullName -AclObject $ACL
}

Got the same error....
0
 

Accepted Solution

by:
ptea earned 0 total points
ID: 35147454
..I got it:

First set the ownership to the local Administrator, after that it's possible to work with a foreach-loop. Sadly i can't set the ownership to an alternate identity using powershell (not good if you have an issue with quotas...)...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35687977
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
This article will help you understand what HashTables are and how to use them in PowerShell.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now