Solved

Cannot change inherit permissions to Shared Folder in Powershell

Posted on 2015-02-02
29
293 Views
Last Modified: 2015-02-05
I have the below script to create shared folders however, no matter what I do to change the " $HomeFolderACL.SetAccessRuleProtection($true,$false) " it still inherits the parent/previous folders permissions. IS someone able to help?

$Users=@()
$Results=@()
Import-Module ActiveDirectory
if (-not (Test-Path $Path))
{
      write-error      -Message "Cannot find path '$Path' because it does not exist."
      return
}
if (-not (Test-Path $UserList))
{
      write-error      -Message "Cannot find  '$UserList' because it does not exist."
      return
}
else
{
      $Users=Get-Content $UserList
}
#Check whether the input AD member is correct
if ($FullControlMember)
{
      $FullControlMember|ForEach-Object {
            if (-not(Get-ADObject -Filter 'Name -Like $_')){
                  $FullControlMember= $FullControlMember -notmatch $_; Write-Error -Message "Cannot find an object with name:'$_'"
            }
      }
}
$FullControlMember+="NT AUTHORITY\SYSTEM","BUILTIN\Administrators"

foreach($User in $Users)
{      
      $HomeFolderACL=Get-Acl $Path
      $HomeFolderACL.SetAccessRuleProtection($true,$false)
      $Result=New-Object PSObject
      $Result|Add-Member -MemberType NoteProperty -Name "Username" -Value $User
      if (Get-ADUser -Filter 'samaccountname -eq $User')
      {
            New-Item -ItemType directory -Path "$Path\$User"|Out-Null
            #set acl to folder
            $FCList=$FullControlMember+$User
            $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
                                                }
        $FCList=$FullControlMember            
        $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
                                                }
            Set-Acl -Path "$Path\$User" $HomeFolderACL
            $Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "Yes"
            $Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "N/A"
      }
      else
      {
            $Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "No"
            $Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "Cannot fine an object with name:'$User'"
      }
      $Results+=$Result
}
#Generate a report
$Results|Export-Csv -NoTypeInformation -Path "$Path\Report.csv"
if ($?) {Write-Host "Please check the report for detail: '$Path\Report.csv'"}
0
Comment
Question by:N00b2015
  • 16
  • 13
29 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 40583773
Try.. $HomeFolderACL.SetAccessRuleProtection(1,0) and see if it works..
0
 

Author Comment

by:N00b2015
ID: 40583778
Hi SubSun, sorry i should have mentioned the methods I've already tried. I have done that but it still doesn't work.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40583782
Both $HomeFolderACL.SetAccessRuleProtection(1,0) & $HomeFolderACL.SetAccessRuleProtection($true,$false) works well for me to block inheritance, I am on PowerShell 3.0. Which version of PowerShell are you using?
0
 

Author Comment

by:N00b2015
ID: 40583801
Hmm, must be something I'm doing then. I'm also using version 3.0. I don't know if this would interfere however, I'am running powershell as a "run as other user" using my network admin credentials on my local machine. As i need to create folders onto a file server and not using the local powershell on that server. As it requires ad-modules and such.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40584021
You may try to assign permission on a test folder for a single user and see if you get same issue.
0
 

Author Comment

by:N00b2015
ID: 40584188
Hi Subsun, i just did that and it did the same thing. Folders still inheriting permissions. I'm surprised that its working for you. Any ideas as I'm still stuck!

Thanks for your help so far.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40584217
Following is the piece of code which I tested. Expected result it to have permission for SYSTEM, Administrators & TestUser on

\\ServerA\Temp\Test\TestUser folder..

$Path = "\\ServerA\Temp\Test"

$FullControlMember+="NT AUTHORITY\SYSTEM","BUILTIN\Administrators"

foreach($User in "TestUser")
 {      
    $HomeFolderACL=Get-Acl $Path
    $HomeFolderACL.SetAccessRuleProtection($true,$false)
    $Result=New-Object PSObject
    $Result|Add-Member -MemberType NoteProperty -Name "Username" -Value $User
    if (Get-ADUser -Filter 'samaccountname -eq $User')
    {
    New-Item -ItemType directory -Path "$Path\$User"|Out-Null
    #set acl to folder
    $FCList=$FullControlMember+$User
    $FCList|ForEach-Object {
    $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
    $HomeFolderACL.AddAccessRule($ACL)
    }
    $FCList=$FullControlMember            
    $FCList|ForEach-Object {
    $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $HomeFolderACL.AddAccessRule($ACL)
	}
   Set-Acl -Path "$Path\$User" $HomeFolderACL
  }
}

Open in new window

0
 

Author Comment

by:N00b2015
ID: 40584248
I've noticed you used ($User in "TestUser") instead of $Users as the default script?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40584360
That's just for testing..  There is not loop i this case as it's a single user, but I just wanted to put it with less modification.. :-)
0
 

Author Comment

by:N00b2015
ID: 40584426
Ahh ok, good work ha :)  .. Hmm. It's strange that it's working for you and not for me. I've tried many methods.  Looking at your example path..  \\ServerA\Temp\Test\TestUser folder

You see the "Test"  path folder. Did you add specific permissions on that folder then checked to see if it inherited on the "TestUser"  folder?  As mine did.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40586133
In may case \\ServerA\Temp\Test folder already exist, and the script created TestUser folder inside the Test. It wont inherit the permissions even if I make any changes to the root folder.

Are you getting any error for the script?
0
 

Author Comment

by:N00b2015
ID: 40586146
Hi, I don't get any errors which is strange. It just appears to work although permissions are inherited. It is strange it's working for you as both my tests did not.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40586350
Sorry, I am not able to reproduce the issue in anyway.. :-(.. Are getting same result for other servers or on your local computer?

Following is the simple code to disable the inheritance for a folder..
$Folder = "C:\Temp\folder"
# Will remove the inheritance from parent
$ACL = get-acl $Folder
$ACL.SetAccessRuleProtection($true,$false)
Set-acl $Folder -aclobject $ACL

Open in new window

Example
0
 

Author Comment

by:N00b2015
ID: 40586501
It's ok, thanks for helping. I'm getting the same issue on the server AND my local machine.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 40

Expert Comment

by:Subsun
ID: 40586524
Hmm.. that's really strange.. What is the OS?
0
 

Author Comment

by:N00b2015
ID: 40586531
Windows 7 64bit
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 500 total points
ID: 40587031
I don't have any Win 7 64 bit systems to test.. but I tested in one Win 7 32 bit with PowerShell 4.0 and it works. So I can confirm no issue with the method.

$ACL.SetAccessRuleProtection($true,$false)
0
 

Author Comment

by:N00b2015
ID: 40588168
Thank you for your help! I will see what others might say.
0
 

Author Comment

by:N00b2015
ID: 40590961
Hi Subsun,

Just a thought.. Could it be copying the permissions to the newly created folder? Normally when you disable inheritance from a folder you get an option to convert existing permissions or delete all (image below). Could this be possible? if so, is there a script i could add NOT to copy the permissions?

Inhertiance.jpg
Thanks for your help as usual! :)
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 500 total points
ID: 40590988
Following does not preserve the permissions while removing the inheritance. Means only the new permissions you set will be available.
$ACL.SetAccessRuleProtection($true,$false) 

Open in new window

Following does  preserve the existing permissions and removes the inheritance. Means you will have the existing permissions on the folder + the newly added permissions.
$ACL.SetAccessRuleProtection($true,$true) 

Open in new window


Please find the article for reference..
Ref : https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection(v=vs.110).aspx
0
 

Author Comment

by:N00b2015
ID: 40591032
Thanks.. Then I truly am stuck! I have no ideas why it's doing it!
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 500 total points
ID: 40591091
Hope you are running exact same code in your machine for testing..
$Folder = "C:\Temp\folder"
$ACL = get-acl $Folder
$ACL.SetAccessRuleProtection($true,$false)
Set-acl $Folder -aclobject $ACL

Open in new window

0
 

Author Comment

by:N00b2015
ID: 40591179
HI SubSun! I tested that code and it works.
0
 

Author Comment

by:N00b2015
ID: 40591437
Got it!!

I removed the "$Path" from $HomeFolderACL=Get-Acl $Path (from the original script in this post) and all is working as it should!!!!
0
 

Author Comment

by:N00b2015
ID: 40591838
I've requested that this question be closed as follows:

Accepted answer: 0 points for N00b2015's comment #a40591437

for the following reason:

Issue Resolved
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 40591727
Initially you said the code was not working for you.. :-)..  


I removed the "$Path" from $HomeFolderACL=Get-Acl $Path (from the original script in this post) and all is working as it should!!!!

That means you were not using the $Path variable in script.., So ideally it could have given an error.

With $HomeFolderACL=Get-Acl Now you are getting the ACL of the current folder which run the script..

BTB, Don't you think I should be given some credit to help you in identifying this issue??
0
 

Author Closing Comment

by:N00b2015
ID: 40591839
SubSun helped resolve the issue.
0
 

Author Comment

by:N00b2015
ID: 40591844
Lol,  yes you do.  I'm new to this website, sorry about that.  Thank you for helping me resolve.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40591851
no problem.. have a nice day!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now