ICACLS and PowerShell permissions
Glen Johnson
Any suggestion on this appreciated and sorry in advance for the long post.
We have a windows server 2019 file share that contains sub folders for each instructor to place course records.
I have created instructions for the assistant to use when creating new folders for each semester and instructor, but they haven’t been following them correctly.
So the structure is D:\Shares\Public\Course Records\Division\Semester\Instructor
My instructions say to remove inheritance from the instructor folder, converting permissions… and then adding the individual instructor account to the folder.
So now I’m trying to clean up at least the inheritance part using either icalcs or PowerShell, I get permissions denied on both.
I’ve tried logging on to the actual server as domain admin and local server admin.
And run both cmd and PowerShell as administrator.
For icacls ran
Icacls “D:\Shares\Public\Course Records\Division\Instructor” /inheritance:d
I run icacls with just the folder name and it returns this.
After fixing a folder using file manager, icacls returns this.
For PowerShell I ran.
$Folder = “D:\Shares\Public\Course Records\Division\Semester\Instructor”
$SourceACL = get-acl -Path $Folder
$SourceACL.SetAccessRuleProtection ($True, $True)
Set-ACL -Path $Folder -AclObject $SourceACL This is where I get the error.
Using file manager I have no problem disabling inheritance and then removing “Domain Users” from the access list.
Tony Burrows
Tony
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/5C68F5FA-A0B3-44E2-9360-A85FFD8C1691%40hxcore.ol.
Orlebeck, Geoffrey
Normally I try to stick with the standard cmdlets, but for NTFS ACLs I prefer to use the NTFSSecurity module. To remove inherited permissions you could do this (note: if you remove the “-RemoveInheritedAccessRules” parameter then it converts inherited permissions to explicitly defined permissions on the directory while still disabling inheritance):
$Folder = "D:\Shares\Public\Course Records\Division\Semester\Instructor"
Disable-NTFSAccessInheritance $Folder -RemoveInheritedAccessRules
As an aside, adding permissions is also much more user friendly (IMO) compared to Get/Set-ACL commands:
Add-NTFSAccess $Folder -Account 'CORP\user1' -AccessRights Modify -AppliesTo ThisFolderSubfoldersAndFiles
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Tony Burrows
Sent: Wednesday, June 8, 2022 12:09 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] ICACLS and PowerShell permissions
|
You don't often get email from tiger...@gmail.com. Learn why this is important |
|
ATTENTION: This email came from an external sender. If you don't recognize the source and it has unexpected or suspicious links or attachments, click the "Report Email" button (above) or send to: cyberalert @ chomp.org. |
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAPGALdjsALo_P91Y1ga4SKwpevJLj9JfCXSDEmE2vLgi8FHhGA%40mail.gmail.com.
Kurt Buff
--
Glen Johnson
Kurt.
Thanks for the info, I think.
So I can’t use Deny on domain users as the dean, assistant and instructor are also in domain users so all of them would lose access to the instructor folder.
So then I tested, re-enabling inheritance on one instructor folder, added domain user while unchecking “read & execute0” and read, set for this folder subfolders and files.
That appears to work, but after the setting is added, it doesn’t show up anywhere in the gui that domain users has been denied access.
Is that expected? I know I could run the effective access and view it.
Also this way is much more complicated to setup, especially for the Dean’s assistant.
Maybe I need to re-think this whole setup.
And last, why is it bad to remove inheritance? I did a quick search and nothing obvious popped up.
From: Kurt Buff
Sent: Wednesday, June 8, 2022 6:28 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] ICACLS and PowerShell permissions
It's a sin to remove inheritance, either in a file structure or in AD, and you've just run into a problem which highlights that.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6OrTniYOdOWhk9TAXjFung9Z4LirwVzG12e6RpYHsJvQ%40mail.gmail.com.
Michael B. Smith
It’s possible – although unlikely – for a malicious user to lock out administrators if inheritance is removed.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/A0B94004-1856-41FB-9F40-752C85A2F965%40hxcore.ol.
Glen Johnson
If that is the most serious side effect of disabling inheritance, I consider that very unlikely to happen here, so I’ll continue to use it as it works to provide the functionality we need.
And I did get all the folders fixed, using the GUI.
Thanks.
Glen.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/b29b7430170b4695bcee0a6ccdec769b%40smithcons.com.
Glen Johnson
Thanks for the advice. I’ll try that if/when it is needed in the future.
Another PS question if anyone know.
I need a script the will copy files from source to destination, only if the source file last write time is newer that the last time the script was run.
So basically, set a script to run on a schedule and copy any new files since previous script run-time.
Here is what and it almost works. Looks like the date or time must be larger than some unknown value.
I have 2 files in the In folder, one dated yesterday and one dated today.
The script always copies the one dated today, and does successfully update the last write time of the log file, but another run of the script and the same files is copied again even thoug the laswritedate is no older than the log file.
$SourcePath = "C:\In"
$DestPath = "C:\Out\"
$LogFile = "C:\PS-Scripts\Run-Date-Time.txt"
# Get last date-time script was run from $LogFile
$LastRun = get-item $LogFile
# Get files at $Source-Path newer than $LastRun and copy to $DestPath
$FilesToCopy = Get-ChildItem -Path $SourcePath | where-object {$_.LastWriteTime -gt $LastRun.LastAccessTime.DateTime }
ForEach ($FileToCopy in $FilesToCopy)
{
Copy-Item ($SourcePath + "\" + $FileToCopy) ($DestPath + "\" + $FileToCopy)
# Echo files being copied for debugging
$FilesToCopy
}
# Update LastWriteDate to current date and time of Logfile.
$Lastrun.LastWriteTime = (Get-Date)
From: Tony Burrows
Sent: Wednesday, June 8, 2022 3:09 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] ICACLS and PowerShell permissions
Try $SourceACL.SetAccessRuleProtection ($true, $false) instead.
Regards,
Tony
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAPGALdjsALo_P91Y1ga4SKwpevJLj9JfCXSDEmE2vLgi8FHhGA%40mail.gmail.com.
Orlebeck, Geoffrey
Robocopy has a switch to exclude older files. I think it’s /XD, but you can check “robocopy /?”
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Glen Johnson
Sent: Thursday, June 9, 2022 10:22 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] ICACLS and PowerShell permissions
|
ATTENTION: This email came from an external sender. If you don't recognize the source and it has unexpected or suspicious links or attachments, click the "Report Email" button (above) or send to: cyberalert @ chomp.org. |
Thanks for the advice. I’ll try that if/when it is needed in the future.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/B898BAE9-3274-4211-949C-D64B74C1FD80%40hxcore.ol.
Glen Johnson
Don’t look like that will work, or at least I can’t see from the docs, how to pass a date time parm to robocopy to only copy files newer than the most recent runtime.
After the files are copied, a process on the dest will pickup the files, process them and delete them.
So the dest only exists for a short time. And unfortunately I don’t have write access to the source location or I could simply move them.
Another process on the source server removes the files after a certain age, I think 7 days.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CY4PR14MB157649E4DA497708A83A731BFFA79%40CY4PR14MB1576.namprd14.prod.outlook.com.
Kurt Buff
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/A0B94004-1856-41FB-9F40-752C85A2F965%40hxcore.ol.
Orlebeck, Geoffrey
In that case, I think it might be some of your code logic. What about something like this?
$SourcePath = "C:\In"
$DestPath = "C:\Out\"
$LogFile = "C:\PS-Scripts\Run-Date-Time.txt"
# Get last date-time script was run from $LogFile
[DateTime]$LastRun = (get-item $LogFile).LastWriteTime
# Get files at $Source-Path newer than $LastRun and copy to $DestPath
$FilesToCopy = Get-ChildItem -Path $SourcePath | where-object { $_.LastWriteTime -gt $LastRun }
ForEach ($FileToCopy in $FilesToCopy) {
Copy-Item $FileToCopy.FullName $DestPath -Force
# Echo files being copied for debugging
$FilesToCopy.Name # Or Fullname or whatever property you want
}
# Update LastWriteDate to current date and time of Logfile.
$Lastrun.LastWriteTime = (Get-Date)
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/22463B3F-FC6C-4F95-9AAD-56A05F64E96C%40hxcore.ol.
Robert ECEO Townley
I was just reading again today about reasons for unsynced Domain Controllers. When files under SysVol do not sync, the solution appears to be to remove inheritance.
"The Permissions for This GPO in the sysvol folder Are Inconsistent with Those in Active Directory" Message When You Run GPMC
Cause
The solution is a workaround of removing the inheritance attribute in the SysVol folder.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6OrTniYOdOWhk9TAXjFung9Z4LirwVzG12e6RpYHsJvQ%40mail.gmail.com.