powershell: set-acl to UNC path removes existing permissions

Posted on 2011-10-03
Medium Priority
Last Modified: 2012-05-12

When I try and set "ReadPermissions" for a security group to a UNC path - eg \\computer\test, the group is added with the required permissions. However the existing permissions are all removed.

If I run the script against the local drive, eg c:\test, the permissions are not deleted.

How do I keep the existing permissions when applying the script to a UNC path?

Please note that I have to use UNC path and can not do local drive or use C$


$folder = "\\computer\test"
$ADgroup = "AD_GROUP"

$ACL = get-acl $folder
$accessLevel = "ReadPermissions"
$inheritanceFlags = "None"
$propagationFlags = "none"
$accessControlType = "Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($ADgroup,$accessLevel,$inheritanceFlags,$propagationFlags,$accessControlType)
Set-Acl $folder $Acl

Open in new window

Question by:staino1983
  • 2
LVL 18

Expert Comment

ID: 36908803
this will add the new FileSystemAccessRule to the colection retrieved from the folder:

$ACL = $ACL.Access + $accessRule
LVL 71

Expert Comment

ID: 36909270
All examples I've seen talk about using $acl.SetAccessRule, not .AddAccessRule, to add ACLs. Try that.

Accepted Solution

staino1983 earned 0 total points
ID: 36913582
Thanks for the help

The problem was that I was testing the UNC path against my own computer which had UAC enabled. For whatever reason, UAC was causing this issue. If I turned UAC off, the script would work. If I run against a remote server with the UNC path, it also works fine.


Author Closing Comment

ID: 36938203
resolved myself

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Loops Section Overview
Screencast - Getting to Know the Pipeline

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question