Unable to access mapped folder directory that was created with PowerShell script

ryanmaves used Ask the Experts™
Hello, I recently got help from EE creating a script that will configure NTFS permissions on a directory.

Here is the link to that previous topic, http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28687233.html.

My script creates a new directory on the network share and then assigns NTFS Modify permissions for the end user.

The problem is that after the folder is created and NTFS Modify permissions assigned, the user is unable to access the mapped directory. When trying to access the mapped directory, the following message is seen:

Unable to access user directory mapped to letter 'I'
Work Around
After the script creates the directory and assigns NTFS Modify permissions to the end user it won't open. However, if I then go into the directory properties and 'toggle' the Modify check box (uncheck then check it back again) and hit Apply. Viola! The end user can now access the mapped directory.

I need help figuring out how to get my script to work the first time with creating the directory and permissions to Modify for an end user and it not requiring me to go toggle the permissions. Why doesn't the directory recognize the location until I toggle the permissions?

function Set-Permission {
   Manage NTFS permissions on a directory and it's child items.
   Long description
   Set-Permission -dirPath '\\my-server\user-share\joe.user' -samAccountName joe.user -accessLevel Modify -Verbose

   This will apply Modify permissions for samAccountName joe.user to a network share directory called 'joe.user' and it's child items
   Another example of how to use this cmdlet
   Inputs to this cmdlet (if any)
   Output from this cmdlet (if any)
   General notes
   The component this cmdlet belongs to
   The role this cmdlet belongs to
   The functionality that best describes this cmdlet

    Param (
        # Param1 help description

        # Param2 help description

        # Param3 help description
        [Parameter(Mandatory=$true, Position=2)]
        # Param4 help description
        $domain = 'My_Domain'
    Begin {
        $domainAccount = $domain + "\" + $samAccountName
        $inheritanceFlags = "ContainerInherit, ObjectInherit"                     
        $propagationFlags = "None"                    
        $accessControlType = "Allow"

        $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
        Write-Verbose 'Print New Access Rule object'

        # Saving parent folder directory into variable
        $Parent = gi $dirPath | where {$_.psIsContainer -eq $true}
        $pFN = $Parent.FullName

        Write-Verbose 'Access Control List of parent folder before applying new rules'
        $oldacl = Get-Acl $Parent
        $oldacl |select accesstostring |fl
    } # \Begin
    Process {
        Write-Verbose "Applying $samAccountName $accessLevel permissions to parent $pFN"
        Add-Access -Path $Parent -Account $domainaccount -AccessRights $accesslevel 

        Get-ChildItem -path $dirPath -Recurse | 
            ForEach-Object { 
                $fnDir = $_.FullName
                Write-Verbose "Applying $samAccountName $accessLevel permissions to child $fnDir"
            }# \ForEach
        Get-ChildItem -path $dirPath -Recurse | Get-NTFSAccessInheritance | 
        Where-Object { -not $_.InheritanceEnabled } | Enable-NTFSAccessInheritance -PassThru
    } # \Process
    End {
        Write-Verbose 'New permissions have been set'
        get-childitem -Path $dirPath -Recurse | get-acl | out-gridview
    }# \End

Open in new window

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Robin CMSenior Security and Infrastructure Engineer
Honestly, just use icacls. PowerShell is great, but re-inventing the wheel as above is not worth the hassle. You could have moved on and done other more productive things. Let the PowerShell team at MS write a better way to do this for you in a future version :-)

...from a PowerShell guy who has spent too long trying to make up for the inadequacies of PowerShell vs the built-in Windows commands :-) Now I just take the path of least resistance - unless I'm trying to prove a point (usually to myself!) and have LOTS of spare time.
Top Expert 2004
First thing: robincm has the right of it.  The icacls utility is designed to do exactly this.  You could have been done already.

In other news, it looks like you're only applying the "Modify" permission.  You probably need to add "Read", as well as whatever permission allows directory traversal (slips my mind ATM).
Well, I guess the verdict is to not use PS to manage permissions.

I played with the icacls and had some success. I was able to create a script using PS around the icacls for anyone interested in going this route, also.

Thanks for the input EE.

# The below script will grant a user Modify rights (which includes every up to Modify, i.e. Read/Write) and also is (oi) Object inherent and (ci) Container inherent. Basically meaning all subfolders and files will apply the same Modify rights for the user.

$DirectoryPath = 'C:\myfolder\folder1'
$Domain = 'mydomain'
$samAccountName = 'user domain samAccountName'

icacls $DirectoryPath /grant "$Domain\${samAccountName}:(oi)(ci)(m)"


My own comment is the actual solution because I already knew about icacls. My previous question (documented in this question) and also this question pertain to using PS to accomplish permissions.

My comment is the solution because I actually described a script that incorporates icacls within PS.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial