Applying ACL Permissions using PowerShell Set-Acl

Asked 24/3, 2017 at 10:43 Answered 18/5, 2019 at 14:56

New-Item -Type Directory -Path "C:\MyFolder"
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl -Path "C:\MyFolder" -AclObject $Acl

Hi, when I got the above code and applied it using my own settings - the user account entries are added for the folder but, no Permissions are applied (none ticked)

Can anyone help with why this might be?

Thanks

Parsimony answered 24/3, 2017 at 10:43 Comment(4)

Your snippet works for me. Do you have any error message? An UnauthorizedAccessException? – Luxury 24/3, 2017 at 11:34

No errors - the accounts get added to the sec perms in the folder - you can see them there but no perms ticked. Only diff between what im actually running is I reference a variable with the user account stored in - but that works as - otherwise, the account wouldn't show up in there. – Parsimony 24/3, 2017 at 11:36

It's hard to understand your question. Hope I got the point. Please consider reviewing your question and add some additional information and screenshots to it so others understand what you mean. (I'd personally see this question better placed on superuser) – Luxury 24/3, 2017 at 11:47

If my answer solved your question, please mark it as the accepted answer. Thanks! – Luxury 30/7, 2018 at 13:11

Your comment describes the following behaviour:

Your PowerShell script succeeds but if you check the permissions with the explorers properties dialog, you will see the following:

This is pretty confusing as a PowerShell query will confirm:

PS> Get-Acl .|fl


Path   : Microsoft.PowerShell.Core\FileSystem::D:\temp\myfolder
Owner  : clijsters\clijsters
Group  : clijsters\Kein
Access : clijsters\NEWUSER Allow  FullControl
        VORDEFINIERT\Administratoren Allow  FullControl
        VORDEFINIERT\Administratoren Allow  268435456
        NT-AUTORITÄT\SYSTEM Allow  FullControl
        [...]

Your ACL changed. If you scroll down the list of your checkboxes you will notice, that "Special permissions" is checked and if you click on "Advanced" you will notice, your permissions are set.

EDIT:
As mentioned by @AnsgarWiechers, I missed a part describing why the permissions added with New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow") are listed as Special permissions.

Like described on MSDN, FileSystemAccessRule has 4 constructors, where some accept InheritanceFlags and PropagationFlags (e.g. this one fits your needs). If you use them and define inheritance behaviour, the permissions will show up as normal ones.

Luxury answered 24/3, 2017 at 11:46 Comment(5)

Thanks! What a Totally cool way of adding folder permissions as part of a wider scripted solution. – Parsimony 24/3, 2017 at 11:51

The reason why the permissions are displayed as "special permissions" is because you don't define inheritance, so the permissions are applied to "this folder only". Add container and object inheritance to the ACE and the permissions will show up as "regular" full control. – Purslane 24/3, 2017 at 12:47

I don't get why this answer is unaccepted. Jus tsaw it coincidentally on my profile. @Royston: Would you explain, that I can improve my answer? – Luxury 11/11, 2017 at 11:46

@Luxury classed as an answer now. Thank you – Parsimony 20/5, 2019 at 11:53

@noabody's answer [https://mcmap.net/q/1191095/-applying-acl-permissions-using-powershell-set-acl] has a nice copy-paste example. I HAD to use this 5-term constructor, with the inheritance and the flags, on a directory I created in powershell to allow me to create a new file in that directory, also with powershell, non-admin. – Lipski 15/7 at 20:42

Today I was trying to compile ILSpy and encountered AL1078: Error signing assembly which is a permissions issue. An amalgamation of answers is shown.

This powershell script assigns $CurUsr to the token for the currently logged in user and $CurTgt as the folder whose permissions are being altered. Change them as required.

Add permission:

$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt

Remove permission:

$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt

References:

Manage ACLs Inheritance Current User

Alfeus answered 18/5, 2019 at 14:56 Comment(0)

Recommended topics

Hot tags