INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Appending folder permissions

Appending folder permissions

(OP)
Hello, Tek-Tips Chums

LTNS

I need to script the ADDITION of permissions to a folder, for a new hire's home drive. Not too difficult, I thought, and yes I suppose I COULD use iCacls, and I COULD import a module to do this, but I want to stick with built-in cmdlets.

I've gleaned this script from this Spiceworks thread but I've found that it replaces the default permissions (essentially the local Administrators group) with the new user's Modify permissions, rather than adding the new user's Modify permissions while leaving the existing permissions in place:

CODE --> Powershell

$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName

$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule -argumentlist ($identity,"Modify","ContainerInherit, ObjectInherit","None","Allow")

# Get the current ACL from newly created folder
$homeDriveACL = Get-ACL $FullUNCPath

# Add the new Access Rule to the Current Rule
$homeDriveACL.AddAccessRule($accessRule)

# Set the new access rule on the new folder
Set-ACL -Path $FullUNCPath -ACLObject $homeDriveACL 

What are your thoughts?

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

Does this work?

CODE -->

$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName
$homeDriveACL = Get-ACL $FullUNCPath
$rule = [System.Security.AccessControl.FileSystemRights]"CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ObjectInherit", "InheritOnly", "Allow")
$objACL.AddAccessRule($objACE)
Set-ACL $homeDriveACL $objACL 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

(OP)
Most kind, thank you. I'll let you know on Monday.

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

(OP)
No. sad

CODE --> powershell

Set-ACL : Cannot bind parameter 'AclObject'. Cannot convert the "System.Security.AccessControl.FileSystemAccessRule" value of type "System.Security.AccessControl.FileSystemAccess
Rule" to type "System.Security.AccessControl.ObjectSecurity".
At line:1 char:40
+ Set-ACL -path:$objACL -aclobject: <<<< $objACL
    + CategoryInfo          : InvalidArgument: (:) [Set-Acl], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.SetAclCommand 

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

Did you just run my code or did you try to put in into yours? If you tried to put it in yours, what does your script look like, now?


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

I think I missed a replacement or two from my variables to yours. Try this:

CODE -->

$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName
$homeDriveACL = Get-ACL $FullUNCPath
$rule = [System.Security.AccessControl.FileSystemRights]"CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ObjectInherit", "InheritOnly", "Allow")
$homeDriveACL.AddAccessRule($objACE)
Set-ACL $FullUNCPath $homeDriveACL 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

(OP)
Thank you.

Well, no errors this time, but still not the desired effect.

BEFORE:

CODE --> Powershell

PS C:\>  $homeDriveACL|fl


Path   : Microsoft.PowerShell.Core\FileSystem::\\SERVER\linter_u
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\SPsearch Allow  ReadAndExecute, Synchronize
         DOMAIN\Domain Admins Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Backup Operators Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;OICIID;0x1200a9;;;S-1-5-21-2723378225-4245055115-2045769514-10212)(A;OICIID;FA;;;DA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;BO) 

$HOMEDRIVEACL VALUE AFTER '$homeDriveACL.AddAccessRule($objACE)':

CODE --> POWERSHELL

PS C:\> $homeDriveACL|fl


Path   : Microsoft.PowerShell.Core\FileSystem::\\SERVER\linter_u
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\linter_u Allow  CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize
         DOMAIN\SPsearch Allow  ReadAndExecute, Synchronize
         DOMAIN\Domain Admins Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Backup Operators Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;OIIO;0x1201bb;;;S-1-5-21-2723378225-4245055115-2045769514-23496)(A;OICIID;0x1200a9;;;S-1-5-21-2723378225-4245055115-2045769514-10212)(A;OICIID;FA;;;DA)(A;
         OICIID;FA;;;BA)(A;OICIID;FA;;;BO) 


AFTER RUNNING SET-ACL:

CODE --> Powershell

PS C:\> $homeDriveACL | fl


Path   : Microsoft.PowerShell.Core\FileSystem::\\SERVER\linter_u
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\linter_u Allow  CreateFiles, WriteExtendedAttributes, WriteAttributes, ReadAndExecute, Synchronize
Audit  :
Sddl   : O:BAG:DUD:AI(A;OICI;FA;;;BA)(A;OIIO;0x1201bb;;;S-1-5-21-2723378225-4245055115-2045769514-23496) 

Downer.

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

Does this work? (Remove the user permissions from the folder, first.)

CODE -->

$identity = $env:USERDNSDOMAIN + "\" + $SamAccountName
$homeDriveACL = Get-ACL $FullUNCPath
$rule = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ContainerInherit, ObjectInherit", "None", "Allow")
$homeDriveACL.AddAccessRule($objACE)
Set-ACL $FullUNCPath $homeDriveACL 



Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

(OP)
Alas no...its still replaces.

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

That doesn't sound right. What do you get when you do:

CODE -->

$homeDriveACL = Get-ACL $FullUNCPath
$homeDriveACL.access 

before and after you run the script?


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

(OP)
OK.

BEFORE

CODE --> Powershell

PS C:\WINDOWS\system32> $homeDriveACL = Get-ACL $FullUNCPath
PS C:\WINDOWS\system32> $homeDriveACL.access


FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\SPsearch
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : DOMAIN\Domain Admins
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Backup Operators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None 

AFTER

CODE --> Powershell

PS C:\WINDOWS\system32> $homeDriveACL = Get-ACL $FullUNCPath
PS C:\WINDOWS\system32> $homeDriveACL.access


FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\linter_u
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None 

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

Can you post your current script, or at least the part dealing with the permissions?


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

(OP)
I've not incorporated any of your suggestions in to my script, I've only tested them from a Powershell console. So most recently as per your suggestions of 14 Feb 17 15:22.

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

RE: Appending folder permissions

I just ran it and I got what I expected; the rights are identical except for the addition of the new user.

Here is my session:

CODE -->

PS U:\Exchange_Scripts> $FullUNCPath = "C:\Temp\Test\"
PS U:\Exchange_Scripts> $SamAccountName = "Justin1234567890"
PS U:\Exchange_Scripts> $identity = $env:USERDNSDOMAIN + "\" + $SamAccountName

PS U:\Exchange_Scripts> $identity
<MyDomain>\Justin1234567890


############# Before rights are applied #############
PS U:\Exchange_Scripts> $homeDriveACL = Get-ACL $FullUNCPath
PS U:\Exchange_Scripts> $homeDriveACL.access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly



PS U:\Exchange_Scripts> $rule = [System.Security.AccessControl.FileSystemRights]"Modify, Synchronize"
PS U:\Exchange_Scripts> $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rule, "ContainerInherit, ObjectInherit", "None", "Allow")
PS U:\Exchange_Scripts> $homeDriveACL.AddAccessRule($objACE)
PS U:\Exchange_Scripts> Set-ACL $FullUNCPath $homeDriveACL


############# After rights are applied #############
PS U:\Exchange_Scripts> $homeDriveACL = Get-ACL $FullUNCPath
PS U:\Exchange_Scripts> $homeDriveACL.access

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : <MyDomain>\Justin1234567890
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Appending folder permissions

(OP)
It is bizarre.

Because I've had to make progress I've had to lowered my puritanical approach to PS script coding and have worked out how to achieve the same thing using icacls calls from Powershell, so this isn't a show stopper.

It really does seem to just be a problem here though, which is a mystery that I don't much like!

Still, thanks for your time. I appreciate it.

JJ
Variables won't. Constants aren't
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, or photo, or breakfast...and so on)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close