Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 352
  • Last Modified:

Cannot change inherit permissions to Shared Folder in Powershell

I have the below script to create shared folders however, no matter what I do to change the " $HomeFolderACL.SetAccessRuleProtection($true,$false) " it still inherits the parent/previous folders permissions. IS someone able to help?

$Users=@()
$Results=@()
Import-Module ActiveDirectory
if (-not (Test-Path $Path))
{
      write-error      -Message "Cannot find path '$Path' because it does not exist."
      return
}
if (-not (Test-Path $UserList))
{
      write-error      -Message "Cannot find  '$UserList' because it does not exist."
      return
}
else
{
      $Users=Get-Content $UserList
}
#Check whether the input AD member is correct
if ($FullControlMember)
{
      $FullControlMember|ForEach-Object {
            if (-not(Get-ADObject -Filter 'Name -Like $_')){
                  $FullControlMember= $FullControlMember -notmatch $_; Write-Error -Message "Cannot find an object with name:'$_'"
            }
      }
}
$FullControlMember+="NT AUTHORITY\SYSTEM","BUILTIN\Administrators"

foreach($User in $Users)
{      
      $HomeFolderACL=Get-Acl $Path
      $HomeFolderACL.SetAccessRuleProtection($true,$false)
      $Result=New-Object PSObject
      $Result|Add-Member -MemberType NoteProperty -Name "Username" -Value $User
      if (Get-ADUser -Filter 'samaccountname -eq $User')
      {
            New-Item -ItemType directory -Path "$Path\$User"|Out-Null
            #set acl to folder
            $FCList=$FullControlMember+$User
            $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
                                                }
        $FCList=$FullControlMember            
        $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
                                                }
            Set-Acl -Path "$Path\$User" $HomeFolderACL
            $Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "Yes"
            $Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "N/A"
      }
      else
      {
            $Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "No"
            $Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "Cannot fine an object with name:'$User'"
      }
      $Results+=$Result
}
#Generate a report
$Results|Export-Csv -NoTypeInformation -Path "$Path\Report.csv"
if ($?) {Write-Host "Please check the report for detail: '$Path\Report.csv'"}
0
N00b2015
Asked:
N00b2015
  • 16
  • 13
4 Solutions
 
SubsunCommented:
Try.. $HomeFolderACL.SetAccessRuleProtection(1,0) and see if it works..
0
 
N00b2015Author Commented:
Hi SubSun, sorry i should have mentioned the methods I've already tried. I have done that but it still doesn't work.
0
 
SubsunCommented:
Both $HomeFolderACL.SetAccessRuleProtection(1,0) $HomeFolderACL.SetAccessRuleProtection($true,$false) works well for me to block inheritance, I am on PowerShell 3.0. Which version of PowerShell are you using?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
N00b2015Author Commented:
Hmm, must be something I'm doing then. I'm also using version 3.0. I don't know if this would interfere however, I'am running powershell as a "run as other user" using my network admin credentials on my local machine. As i need to create folders onto a file server and not using the local powershell on that server. As it requires ad-modules and such.
0
 
SubsunCommented:
You may try to assign permission on a test folder for a single user and see if you get same issue.
0
 
N00b2015Author Commented:
Hi Subsun, i just did that and it did the same thing. Folders still inheriting permissions. I'm surprised that its working for you. Any ideas as I'm still stuck!

Thanks for your help so far.
0
 
SubsunCommented:
Following is the piece of code which I tested. Expected result it to have permission for SYSTEM, Administrators & TestUser on

\\ServerA\Temp\Test\TestUser folder..

$Path = "\\ServerA\Temp\Test"

$FullControlMember+="NT AUTHORITY\SYSTEM","BUILTIN\Administrators"

foreach($User in "TestUser")
 {      
    $HomeFolderACL=Get-Acl $Path
    $HomeFolderACL.SetAccessRuleProtection($true,$false)
    $Result=New-Object PSObject
    $Result|Add-Member -MemberType NoteProperty -Name "Username" -Value $User
    if (Get-ADUser -Filter 'samaccountname -eq $User')
    {
    New-Item -ItemType directory -Path "$Path\$User"|Out-Null
    #set acl to folder
    $FCList=$FullControlMember+$User
    $FCList|ForEach-Object {
    $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
    $HomeFolderACL.AddAccessRule($ACL)
    }
    $FCList=$FullControlMember            
    $FCList|ForEach-Object {
    $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $HomeFolderACL.AddAccessRule($ACL)
	}
   Set-Acl -Path "$Path\$User" $HomeFolderACL
  }
}

Open in new window

0
 
N00b2015Author Commented:
I've noticed you used ($User in "TestUser") instead of $Users as the default script?
0
 
SubsunCommented:
That's just for testing..  There is not loop i this case as it's a single user, but I just wanted to put it with less modification.. :-)
0
 
N00b2015Author Commented:
Ahh ok, good work ha :)  .. Hmm. It's strange that it's working for you and not for me. I've tried many methods.  Looking at your example path..  \\ServerA\Temp\Test\TestUser folder

You see the "Test"  path folder. Did you add specific permissions on that folder then checked to see if it inherited on the "TestUser"  folder?  As mine did.
0
 
SubsunCommented:
In may case \\ServerA\Temp\Test folder already exist, and the script created TestUser folder inside the Test. It wont inherit the permissions even if I make any changes to the root folder.

Are you getting any error for the script?
0
 
N00b2015Author Commented:
Hi, I don't get any errors which is strange. It just appears to work although permissions are inherited. It is strange it's working for you as both my tests did not.
0
 
SubsunCommented:
Sorry, I am not able to reproduce the issue in anyway.. :-(.. Are getting same result for other servers or on your local computer?

Following is the simple code to disable the inheritance for a folder..
$Folder = "C:\Temp\folder"
# Will remove the inheritance from parent
$ACL = get-acl $Folder
$ACL.SetAccessRuleProtection($true,$false)
Set-acl $Folder -aclobject $ACL

Open in new window

Example
0
 
N00b2015Author Commented:
It's ok, thanks for helping. I'm getting the same issue on the server AND my local machine.
0
 
SubsunCommented:
Hmm.. that's really strange.. What is the OS?
0
 
N00b2015Author Commented:
Windows 7 64bit
0
 
SubsunCommented:
I don't have any Win 7 64 bit systems to test.. but I tested in one Win 7 32 bit with PowerShell 4.0 and it works. So I can confirm no issue with the method.

$ACL.SetAccessRuleProtection($true,$false)
0
 
N00b2015Author Commented:
Thank you for your help! I will see what others might say.
0
 
N00b2015Author Commented:
Hi Subsun,

Just a thought.. Could it be copying the permissions to the newly created folder? Normally when you disable inheritance from a folder you get an option to convert existing permissions or delete all (image below). Could this be possible? if so, is there a script i could add NOT to copy the permissions?

Inhertiance.jpg
Thanks for your help as usual! :)
0
 
SubsunCommented:
Following does not preserve the permissions while removing the inheritance. Means only the new permissions you set will be available.
$ACL.SetAccessRuleProtection($true,$false) 

Open in new window

Following does  preserve the existing permissions and removes the inheritance. Means you will have the existing permissions on the folder + the newly added permissions.
$ACL.SetAccessRuleProtection($true,$true) 

Open in new window


Please find the article for reference..
Ref : https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection(v=vs.110).aspx
0
 
N00b2015Author Commented:
Thanks.. Then I truly am stuck! I have no ideas why it's doing it!
0
 
SubsunCommented:
Hope you are running exact same code in your machine for testing..
$Folder = "C:\Temp\folder"
$ACL = get-acl $Folder
$ACL.SetAccessRuleProtection($true,$false)
Set-acl $Folder -aclobject $ACL

Open in new window

0
 
N00b2015Author Commented:
HI SubSun! I tested that code and it works.
0
 
N00b2015Author Commented:
Got it!!

I removed the "$Path" from $HomeFolderACL=Get-Acl $Path (from the original script in this post) and all is working as it should!!!!
0
 
N00b2015Author Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for N00b2015's comment #a40591437

for the following reason:

Issue Resolved
0
 
SubsunCommented:
Initially you said the code was not working for you.. :-)..  


I removed the "$Path" from $HomeFolderACL=Get-Acl $Path (from the original script in this post) and all is working as it should!!!!

That means you were not using the $Path variable in script.., So ideally it could have given an error.

With $HomeFolderACL=Get-Acl Now you are getting the ACL of the current folder which run the script..

BTB, Don't you think I should be given some credit to help you in identifying this issue??
0
 
N00b2015Author Commented:
SubSun helped resolve the issue.
0
 
N00b2015Author Commented:
Lol,  yes you do.  I'm new to this website, sorry about that.  Thank you for helping me resolve.
0
 
SubsunCommented:
no problem.. have a nice day!
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 16
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now