Powershell: Multiple ACE entries for the same Identity Reference in an ACL
-
Friday, November 16, 2012 4:22 PM
I'm using PowerShell to write a script which will give a security group List Folder Contents to a directory and Write Access. Basically I want the users to be able to see which files are in the folder, and write files to the folder, but not read or open any files. I modeled and tested the permissions using the Windows GUI, and Windows does it by assigning the same group two entries on the ACL, one with ReadAndExecute that is only ContainerInherit and one with Write that is ContainerInherit and ObjectInherit.
These are the relevant entries from $acl.access:
FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : MyDomain\MyGroup IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None FileSystemRights : Write, Synchronize AccessControlType : Allow IdentityReference : MyDomain\MyGroup IsInherited : False InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None
When I try to apply these rules via script, I find that I cannot keep both ACE entries on the object. Whatever rule I apply second replaces the first rule. Here is the script block I am using to try and duplicate the above entries:
$acl = Get-Acl ($SectionFolderFullPath + "\Submissions") #Add Read&Execute for Section Group on Folder only $colRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute,Synchronize" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::"ContainerInherit" $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType = [System.Security.AccessControl.AccessControlType]::Allow $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule (($GroupName),$colRights,$InheritanceFlag,$PropagationFlag, $objType) $acl.SetAccessRule($AccessRule) #Add Write only for Section Group $colRights = [System.Security.AccessControl.FileSystemRights]"Write,Synchronize" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit" $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType = [System.Security.AccessControl.AccessControlType]::Allow $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule (($GroupName),$colRights,$InheritanceFlag,$PropagationFlag, $objType) $acl.SetAccessRule($AccessRule) #Apply the rule to the ACL $acl | Set-AclIf I switch the order of the rules, I would see only the ReadAndExecute ACE and not the Write ACE on the Folder.
If I try to Set-Acl and then Get-Acl in between the two entries, the behavior is the same, the 2nd ACE replaced the 1st ACE instead of being in addition to the 1st ACE.
Can anyone help me understand how to get two ACE enties into an ACL with the same IdentityReference? Is seems that this is the proper way to write these rules since this is what the GUI interface comes up with as verified by the original $Acl.access
- Edited by LPSMMB Friday, November 16, 2012 4:24 PM
All Replies
-
Monday, November 19, 2012 4:02 PMI'm still having no joy with this. Does anyone know how to programatically a group with List Folder Contents and Write permissions to an object?
-
Monday, November 19, 2012 5:02 PMModerator
Hi,
Sorry that I don't have time to reproduce your scenario, but it seems to me you might consider using the AddAccessRule method instead of (or in addition to) the SetAccessRule method.
Bill
- Marked As Answer by LPSMMB Tuesday, November 20, 2012 5:19 PM
-
Tuesday, November 20, 2012 5:20 PMThanks, that appears to do the trick!
.png)
