Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Appending folder permissions 1

Status
Not open for further replies.
JPJeffery

JPJeffery

Technical User
May 26, 2006
600
0
0
GB
Hello, Tek-Tips Chums

LTNS

I need to script the ADDITION of permissions to a folder, for a new hire's home drive. Not too difficult, I thought, and yes I suppose I COULD use iCacls, and I COULD import a module to do this, but I want to stick with built-in cmdlets.

I've gleaned this script from this Spiceworks thread but I've found that it replaces the default permissions (essentially the local Administrators group) with the new user's Modify permissions, rather than adding the new user's Modify permissions while leaving the existing permissions in place:
Code: 
$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName

$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule -argumentlist ($identity,"Modify","ContainerInherit, ObjectInherit","None","Allow")

# Get the current ACL from newly created folder
$homeDriveACL = Get-ACL $FullUNCPath

# Add the new Access Rule to the Current Rule
$homeDriveACL.AddAccessRule($accessRule)

# Set the new access rule on the new folder
Set-ACL -Path $FullUNCPath -ACLObject $homeDriveACL

What are your thoughts?

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Sort by date Sort by votes
Does this work?

Code: 
$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName
$homeDriveACL = Get-ACL $FullUNCPath
$rule = [System.Security.AccessControl.FileSystemRights]"CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ObjectInherit", "InheritOnly", "Allow")
$objACL.AddAccessRule($objACE)
Set-ACL $homeDriveACL $objACL



Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
Most kind, thank you. I'll let you know on Monday.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
No. :-(
Code: 
Set-ACL : Cannot bind parameter 'AclObject'. Cannot convert the "System.Security.AccessControl.FileSystemAccessRule" value of type "System.Security.AccessControl.FileSystemAccess
Rule" to type "System.Security.AccessControl.ObjectSecurity".
At line:1 char:40
+ Set-ACL -path:$objACL -aclobject: <<<< $objACL
    + CategoryInfo          : InvalidArgument: (:) [Set-Acl], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.SetAclCommand

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
Did you just run my code or did you try to put in into yours? If you tried to put it in yours, what does your script look like, now?


Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
I think I missed a replacement or two from my variables to yours. Try this:

Code: 
$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName
$homeDriveACL = Get-ACL $FullUNCPath
$rule = [System.Security.AccessControl.FileSystemRights]"CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ObjectInherit", "InheritOnly", "Allow")
$homeDriveACL.AddAccessRule($objACE)
Set-ACL $FullUNCPath $homeDriveACL


Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
Thank you.

Well, no errors this time, but still not the desired effect.

BEFORE:
Code: 
PS C:\>  $homeDriveACL|fl


Path   : Microsoft.PowerShell.Core\FileSystem::\\SERVER\linter_u
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\SPsearch Allow  ReadAndExecute, Synchronize
         DOMAIN\Domain Admins Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Backup Operators Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;OICIID;0x1200a9;;;S-1-5-21-2723378225-4245055115-2045769514-10212)(A;OICIID;FA;;;DA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;BO)

$HOMEDRIVEACL VALUE AFTER '$homeDriveACL.AddAccessRule($objACE)':
Code: 
PS C:\> $homeDriveACL|fl


Path   : Microsoft.PowerShell.Core\FileSystem::\\SERVER\linter_u
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\linter_u Allow  CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize
         DOMAIN\SPsearch Allow  ReadAndExecute, Synchronize
         DOMAIN\Domain Admins Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Backup Operators Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;OIIO;0x1201bb;;;S-1-5-21-2723378225-4245055115-2045769514-23496)(A;OICIID;0x1200a9;;;S-1-5-21-2723378225-4245055115-2045769514-10212)(A;OICIID;FA;;;DA)(A;
         OICIID;FA;;;BA)(A;OICIID;FA;;;BO)

AFTER RUNNING SET-ACL:
Code: 
PS C:\> $homeDriveACL | fl


Path   : Microsoft.PowerShell.Core\FileSystem::\\SERVER\linter_u
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\linter_u Allow  CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize
Audit  :
Sddl   : O:BAG:DUD:AI(A;OICI;FA;;;BA)(A;OIIO;0x1201bb;;;S-1-5-21-2723378225-4245055115-2045769514-23496)

Downer.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
Does this work? (Remove the user permissions from the folder, first.)

Code: 
$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName
$homeDriveACL = Get-ACL $FullUNCPath
$rule = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ContainerInherit, ObjectInherit", "None", "Allow")
$homeDriveACL.AddAccessRule($objACE)
Set-ACL $FullUNCPath $homeDriveACL





Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
Alas no...its still replaces.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
That doesn't sound right. What do you get when you do:

Code: 
$homeDriveACL = Get-ACL $FullUNCPath
$homeDriveACL.access

before and after you run the script?


Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
OK.

BEFORE
Code: 
PS C:\WINDOWS\system32> $homeDriveACL = Get-ACL $FullUNCPath
PS C:\WINDOWS\system32> $homeDriveACL.access


FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\SPsearch
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : DOMAIN\Domain Admins
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Backup Operators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

AFTER
Code: 
PS C:\WINDOWS\system32> $homeDriveACL = Get-ACL $FullUNCPath
PS C:\WINDOWS\system32> $homeDriveACL.access


FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\linter_u
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
Can you post your current script, or at least the part dealing with the permissions?


Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
I've not incorporated any of your suggestions in to my script, I've only tested them from a Powershell console. So most recently as per your suggestions of 14 Feb 17 15:22.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
I just ran it and I got what I expected; the rights are identical except for the addition of the new user.

Here is my session:
Code: 
PS U:\Exchange_Scripts> $FullUNCPath = "C:\Temp\Test\"
PS U:\Exchange_Scripts> $SamAccountName = "Justin1234567890"
PS U:\Exchange_Scripts> $identity = $env:USERDNSDOMAIN + "\" + $SamAccountName

PS U:\Exchange_Scripts> $identity
<MyDomain>\Justin1234567890


############# Before rights are applied #############
PS U:\Exchange_Scripts> $homeDriveACL = Get-ACL $FullUNCPath
PS U:\Exchange_Scripts> $homeDriveACL.access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly



PS U:\Exchange_Scripts> $rule = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
PS U:\Exchange_Scripts> $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ContainerInherit, ObjectInherit", "None", "Allow")
PS U:\Exchange_Scripts> $homeDriveACL.AddAccessRule($objACE)
PS U:\Exchange_Scripts> Set-ACL $FullUNCPath $homeDriveACL


############# After rights are applied #############
PS U:\Exchange_Scripts> $homeDriveACL = Get-ACL $FullUNCPath
PS U:\Exchange_Scripts> $homeDriveACL.access

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : <MyDomain>\Justin1234567890
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly




Light travels faster than sound. That's why some people appear bright until you hear them speak.
 
Upvote 0 Downvote
It is bizarre.

Because I've had to make progress I've had to lowered my puritanical approach to PS script coding and have worked out how to achieve the same thing using icacls calls from Powershell, so this isn't a show stopper.

It really does seem to just be a problem here though, which is a mystery that I don't much like!

Still, thanks for your time. I appreciate it.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)[/small]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sugram
  • Locked
  • Question
Script to copy new Files and create Folder
Replies
0
Views
76
sugram
sugram
mikedazzle99
  • Locked
  • Question
Create a folders based on username and set permissions to them
Replies
1
Views
194
blister911
blister911
5H4F33
  • Locked
  • Question
Creating permissions report on Devops
Replies
0
Views
64
5H4F33
5H4F33
Trob70
  • Locked
  • Question
Alter a character in all files in a directory and sub folders
Replies
0
Views
58
Trob70
Trob70
abenitez77
  • Locked
  • Question
Monitor a folder and send email and check SQL Server
Replies
1
Views
47
fredericofonseca
fredericofonseca

Part and Inventory Search

Sponsor

Back
Top