Setting ACLs

[Mike Leone]

So I need to create a bunch of directories, one for each member of an AD group. I need these users to have FULL CONTROL of the directory, and any sub-folders. I have my script creating the folder, and setting the ACLs, but when I examine the security, it shows as "Special Permission". If I look at it in Advanced view, I see it has FULL CONTROL, but not for any sub-folders. 

What step am I missing, to allow this user rights for this folder, and all sub-folders? 

$ACL_list = Get-ACL -Path "\\$Server\$UserPath\$UserLogin"

# Set new ACL properties
$Identity = "<Domain>\<SamAccountName>"
$FileSystemRights = "FullControl"
$type = "Allow"

# Create new ACL rule
$FileSystemAccessRuleArgumentList = $Identity, $FileSystemRights, $type
$FileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $FileSystemAccessRuleArgumentList
# Apply new ACL rule
$ACL_List.SetAccessRule($FileSystemAccessRule)

Set-ACL -Path "\\$Server\$UserPath\$UserLogin" -ACLObject $ACL_list

If I do a Get-ACL after the above code, I get this. So I think I am most of the way there ...

Path   : Microsoft.PowerShell.Core\FileSystem::<FilePatch>
Owner  : BUILTIN\Administrators
Group  : <Domain>\Domain Users
Access : BUILTIN\Administrators Allow  FullControl
         <DOMAIN\SamAccountName> Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         CREATOR OWNER Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
Audit  :
Sddl   : O:BAG:DUD:AI(A;;FA;;;BA)(A;;FA;;;S-1-5-21-173682997-1056865346-324618207-10432)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;
         ;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)

Also, I don't really want the user to have FULL CONTROL (meaning they can change the access rights), I want them to have READ,WRITE,MODIFY. But can I do that all in 1 statement, or do I need to set that as 3 statements?

The more important aspect is that the security is set for "This folder, and all sub-folders". How do I specify that?

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Wright, John M]

For Modify rights, you should be able to simply specify Modify where you have FullControl.

 

For inheritance, see the section “Disable/enable permissions inheritance” here:  How to Use PowerShell to Manage Folder Permissions - Petri IT Knowledgebase

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, May 7, 2024 9:22 AM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Setting ACLs

 

This message is from an external sender.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bij3_8OMvyF_FJQFCdxCPWzFHKXnwiVfFOmVY_r_HoyRA%40mail.gmail.com.

[CAUTION] Do not click on links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a malicious email, please forward it the local IT team and click the Report Message button in Outlook.

 

[Michael B. Smith]

Honestly, I still (most often, not always) use icacls.exe. It’s much easier to use.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/DM6PR12MB4372B0D80269B2C1163F55BC91E42%40DM6PR12MB4372.namprd12.prod.outlook.com.

[Mike Leone]

On Tue, May 7, 2024 at 9:43 AM Wright, John M <John....@newvista.org> wrote:

For Modify rights, you should be able to simply specify Modify where you have FullControl.

 

For inheritance, see the section “Disable/enable permissions inheritance” here:  How to Use PowerShell to Manage Folder Permissions - Petri IT Knowledgebase

Yes, I've read that page, and no, the examples aren't doing what I want. The ID I am adding a rule for is always limited to "This Folder Only", regardless of how I configure

# Enable inheritance
$ACL_List.SetAccessRuleProtection

($TRUE, $TRUE). ($TRUE, $FALSE), ($FALSE, $TRUE), ($FALSE, $FALSE)

None change the setting to "This folder, and all sub-folders).

I'm currently investigating this:

https://www.business.com/articles/powershell-manage-file-system-acl/

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’, ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

 $Acl.SetAccessRule($Ar)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/DM6PR12MB4372B0D80269B2C1163F55BC91E42%40DM6PR12MB4372.namprd12.prod.outlook.com.

[Andrea 'ML' Suatoni]

I've always found the ACL cmdlets very uncomfortable to use (Microsoft could have came out with something better, IMHO) so notwithstanding the fact I've tried again and again to get acquainted with them, I've always ended up using external utilities. icacls.exe for sure, but if you don't mind the convoluted syntax I think setacl.exe is a much better (and much more powerful) option.

SetACL is available here, and BTW its author has also made freeware the GUI based version.

Andrea

[Kurt Buff]

+1 for setacl. A very fine and useful utility.

Kurt

--

You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/AS8P195MB243966C56AD4E42604CC0B40C4E42%40AS8P195MB2439.EURP195.PROD.OUTLOOK.COM.

[Mike Leone]

Thanks. I've created what I need with icacls, but I'll look at the other utility.

     

--

[gmes...@gmail.com]

I need something similar to your request. At the end did you use  icacls within a PowerShell script? If so, can you share that?

[Mike Leone]

On Tue, May 7, 2024 at 7:31 PM gmes...@gmail.com <gmes...@gmail.com> wrote:

I need something similar to your request. At the end did you use  icacls within a PowerShell script? If so, can you share that?

Yes, I did. I will post the code when I go back to work tomorrow. But I used the Invoke-Expression command. I stored all the icacls parameters in PowerShell variables.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/c5fe7181-5d01-47ef-babf-cfb7d738650bn%40googlegroups.com.

[Aakash Shah]

The inheritance flag can help with this. Here is one way to approach this to apply Modify permissions to this folder, subfolders and files. Playing with the InheritanceFlag and PropagationFlag lets you do most of the custom ACL stuff you can do through the GUI:

 

$FolderPath = 'C:\Temp\FolderPermsTest'

$ACE = @{

     GroupName       = 'NT AUTHORITY\INTERACTIVE'

     Rights               = 'Modify'

     InheritanceFlag = 'ContainerInherit, ObjectInherit'

     PropagationFlag = 'None'

     AllowOrDeny     = 'Allow'

}

 

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `

($ACE.GroupName, $ACE.Rights, $ACE.InheritanceFlag, $ACE.PropagationFlag, $ACE.AllowOrDeny)

 

$FolderAcl = Get-Acl $FolderPath -Audit

 

Write-Verbose 'Add the new ACL to the list (it is NOT committed yet though)'

$FolderAcl.AddAccessRule($AccessRule)

 

Write-Verbose 'Commit the ACL change'

Set-ACL $FolderPath -AclObject $FolderAcl

 

-Aakash Shah

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, May 7, 2024 6:22 AM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Setting ACLs

 

So I need to create a bunch of directories, one for each member of an AD group. I need these users to have FULL CONTROL of the directory, and any sub-folders. I have my script creating the folder, and setting the ACLs, but when I examine the security, it shows as "Special Permission". If I look at it in Advanced view, I see it has FULL CONTROL, but not for any sub-folders. 

--

You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bij3_8OMvyF_FJQFCdxCPWzFHKXnwiVfFOmVY_r_HoyRA%40mail.gmail.com.

[Mike Leone]

On Tue, May 7, 2024 at 7:31 PM gmes...@gmail.com <gmes...@gmail.com> wrote:

I need something similar to your request. At the end did you use  icacls within a PowerShell script? If so, can you share that?

I did this:

ForEach ($WCC_User in $All_WCC_Users) {
$LoginID = Get-ADUser -Filter {DisplayName -like $WCC_User} -Properties * | Select -ExpandProperty SAMaccountName
$FolderExists = Test-Path "\\$Server\$UserPath\$LoginID"
IF (-Not $FolderExists) {
New-Item -Path "\\$Server\$UserPath\$LoginID" -ItemType Directory | Out-Null
$ACL_list = Get-ACL -Path "\\$Server\$UserPath\$LoginID"

# Set PS variables for each of the icacls options
$Path = "\\$Server\$UserPath\$LoginID"   #The path must be the first thing passed to icacls
$Grant = "/grant /t"
# Set user to have FULL CONTROL of this directory
$Permission1 = ":(OI)(CI)(F)"
$UserAccount1 = $Domain + "\" + $LoginID
$UserPerms = $UserAccount1 + $Permission1

Invoke-Expression -Command ('icacls $Path $Grant $UserPerms')

$Cnt++
} ELSE {
Write-Error "ERROR! Folder named $LoginID already exists!"
}
}

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/c5fe7181-5d01-47ef-babf-cfb7d738650bn%40googlegroups.com.