Oscar Powers
asked on
I need to add full rights to the users home folder for the "administrators" group in fileserver1
I need to add full rights to the users home folder for the "administrators" group in fileserver1
Here is my script:
function CreateHomeFolder
{
Param
(
$HomeFolder,
$SamAccountName
)
#Create Home Folder and permission
#Create home Folder
New-Item -ItemType Directory -Path $HomeFolder
#Enable inheritance
# First boolean is "isProtected"; set to false allows inheritance
# Second boolean is "preserveInheritance"; set to false removes inherited access rules
$Acl = Get-Acl $HomeFolder
$Acl.SetAccessRuleProtecti on($false, $false)
$Ar = New-Object system.security.accesscont rol.filesy stemaccess rule("NT AUTHORITY\SYSTEM","FullCon trol","Con tainerInhe rit, ObjectInherit","None","All ow")
$Acl.SetAccessRule($Ar)
$Ar = New-Object system.security.accesscont rol.filesy stemaccess rule("File server1\ad ministrato rs","FullC ontrol","C ontainerIn herit, ObjectInherit","None","All ow")
$Acl.SetAccessRule($Ar)
$Ar = New-Object system.security.accesscont rol.filesy stemaccess rule("mydo main\$SamA ccountName ","FullCon trol","Con tainerInhe rit, ObjectInherit","None","All ow")
$Acl.SetAccessRule($Ar)
$Acl | Set-Acl $HomeFolder
}
But I get this error
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Program Files\WindowsPowerShell\Mo dules\OPAd Toolbox\OP AdToolbox. psm1:24 char:1
+ $Acl.SetAccessRule($Ar)
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException
Line 23 $Ar = New-Object system.security.accesscont rol.filesy stemaccess rule("File server1\ad ministrato rs","FullC ontrol","C ontainerIn herit, ObjectInherit","None","All ow")
Line 24 $Acl.SetAccessRule($Ar)
Any suggestion
Here is my script:
function CreateHomeFolder
{
Param
(
$HomeFolder,
$SamAccountName
)
#Create Home Folder and permission
#Create home Folder
New-Item -ItemType Directory -Path $HomeFolder
#Enable inheritance
# First boolean is "isProtected"; set to false allows inheritance
# Second boolean is "preserveInheritance"; set to false removes inherited access rules
$Acl = Get-Acl $HomeFolder
$Acl.SetAccessRuleProtecti
$Ar = New-Object system.security.accesscont
$Acl.SetAccessRule($Ar)
$Ar = New-Object system.security.accesscont
$Acl.SetAccessRule($Ar)
$Ar = New-Object system.security.accesscont
$Acl.SetAccessRule($Ar)
$Acl | Set-Acl $HomeFolder
}
But I get this error
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Program Files\WindowsPowerShell\Mo
+ $Acl.SetAccessRule($Ar)
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException
Line 23 $Ar = New-Object system.security.accesscont
Line 24 $Acl.SetAccessRule($Ar)
Any suggestion
ASKER
Thank you, but do you know a way to do this natively in PowerShell. This is a part of the script to create a new AD user.
Powershell can easily call it.
The same way that I call NETSH in
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
and Robocopy in
https://www.experts-exchange.com/articles/32531/File-Share-Archiving-Solution.html
The same way that I call NETSH in
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
and Robocopy in
https://www.experts-exchange.com/articles/32531/File-Share-Archiving-Solution.html
Your $Acl needs to be used as an input to set-ACL.
See if the following helps, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-6
See if the following helps, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-6
Oh, test first on small scale to make sure you are modifying the existing ACL by addition, versus a total replacement.
ASKER
Good point. This is part of a script that creates and modifies AD accounts, so the scope is one account at a time. Thanks!
Regarding the $ACL, it is being piped into Set-Acl, and it is working since the folder shows the user and SYSTEM in the permissions with full rights. We also intend on having the server's administrators group be added explicitly, but unfortunately, that part is not working.
Regarding the $ACL, it is being piped into Set-Acl, and it is working since the folder shows the user and SYSTEM in the permissions with full rights. We also intend on having the server's administrators group be added explicitly, but unfortunately, that part is not working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the problem brake step by step
PS H:\> $Ar = New-Object system.security.accesscont rol.filesy stemaccess rule("File server1\ad ministrato rs","FullC ontrol","C ontainerIn herit, ObjectInherit","None","All ow")
PS H:\> $Ar
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : Fileserver1\administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
PS H:\> $Acl.SetAccessRule($Ar)
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At line:1 char:1
+ $Acl.SetAccessRule($Ar)
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException
To fix the problem I change fileserver1\administrators for only 'administrators",
$Ar = New-Object system.security.accesscont rol.filesy stemaccess rule(admin istrators, "FullContr ol","Conta inerInheri t, ObjectInherit","None","All ow")
$Acl.SetAccessRule($Ar)
$Acl | Set-Acl $HomeFolder
Thanks for your help.
PS H:\> $Ar = New-Object system.security.accesscont
PS H:\> $Ar
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : Fileserver1\administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
PS H:\> $Acl.SetAccessRule($Ar)
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At line:1 char:1
+ $Acl.SetAccessRule($Ar)
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException
To fix the problem I change fileserver1\administrators
$Ar = New-Object system.security.accesscont
$Acl.SetAccessRule($Ar)
$Acl | Set-Acl $HomeFolder
Thanks for your help.
Open in new window
https://helgeklein.com/setacl/examples/managing-file-system-permissions-with-setacl-exe/