locked
Problems applying ACL RRS feed

  • Question

  • Let me first say thank you in advance for your help.

    We have stood up a new forest, we will say ABC.

    We also have our original forest , we will sat MSC.

    There is an intrinsic trust between the domains, and all Users and Groups have been migrated from MSC to ABC.

    We have an EMC File Server which has home folders and department shares.  I created a PowerShell Script to read each folder and perform a Get-ACL which created a CSV file with the Users/Groups names, Filesystem Rights, Inheritance, Propagation flags, Access Control Type.

    What I am trying to do, add the same users/Groups from new Domain ABC with the same ACL Security as the corresponding Security from Domain MSC.  This will then Dual ACL the File Server with both domains.

    The CSV file I created has most of the information I need.

    This is the error I am getting when running the script;

    Set-acl : AclObject
    At \\rtihomenas\Public\MIS\Network-Telecomm\citrix\Scripts\scripts\IsilonACLApply.ps1:51 char:29
    + ...                           Set-acl $FilePath $ACLRule
    +                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (System.Security...ystemAccessRule:FileSystemAccessRule) [Set-Acl], ArgumentException
        + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

    Below is my script;

    Connect-QADService -service DomCtrl.ABC.US –proxy -credential ABC\adm.AdminUser1

            $InFile = "C:\Shares\Folders.csv"
                        $file = import-csv $InFile
                        foreach($Sec in $file) {
                            $FilePath = $Sec.Folder_Path
     
                            $IDRef = $Sec.IdentityReference
     
                            $ACCType = $Sec.AccessControlType
     
                            $FSType = $Sec.FileSystemRights

                            $IsInhert = $IsInherit

                            $InhertFlg = $Sec.InheritanceFlags

                            $PFlags = $Sec.PropagationFlags
     
                            $ObjInheritFlg = $Sec.ObjectInhert
           #This line will get the account/group from Domain ABC.
                            $objGroup = Get-QADGroup -Identity $IDRef | Select-Object -ExpandProperty SamAccountName
                            $objADGroup = $objGroup
                                Write-Host "Name is: " $objADGroup
                                $Matches = $objADGroup -match $IDRef.trimstart("ABC\")
                                If ($Matches -eq $True) {

                                $objGrp = New-Object System.Security.Principal.NTAccount "$objGroup"  
                                    Write-Host "Name is " $objGrp

                                $colRights = [System.Security.AccessControl.FileSystemRights]::$FSType
                                    Write-Host "FileSystem Type: " $colRights 
                                
                                $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit
                                    Write-Host "Inheritence: " $InheritanceFlag 

                                $PropagationFlag = [system.security.accesscontrol.PropagationFlags]::None
                                    Write-Host "Propagation Flag: " $PropagationFlag

                                $objType = [System.Security.AccessControl.AccessControlType]::$ACCType
                                    Write-Host "Account Type: "$objType
                                
                                #$ACLRule = New-Object System.Security.AccessControl.FileSystemAccessRule($objGroup,$colRights,$InheritanceFlag,"None",$objType)

             #Add this line to explicitly add the Rights
            $ACLRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ABC-File Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")
                                
                                #($objGrp,$colRights,$InheritanceFlag,"None",$objType)

                                $Fldracl = get-acl $FilePath
                                $Fldracl.AddAccessRule($ACLrule)
                                Set-acl -Path $FilePath -aclObject $ACLRule
                                }
                                }

    Any help that you can provide will be greatly appreciated.

    Wednesday, June 10, 2020 6:12 PM

Answers

All replies

  • I suspect that your problem is this line. 

    	$ACLRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ABC-File Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")
    

    If "ABC-File Administrators" is a domain group then I believe that you need to specify that as "ABC\ABC-File Administrators".


     
    Wednesday, June 10, 2020 11:11 PM
  • I tried using the fully qualified name, ABC\ABC-File Administrators and received the same error.

                                 Set-acl $FilePath $ACLRule
    +                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (System.Security...ystemAccessRule:FileSystemAccessRule) [Set-Acl], ArgumentException
        + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

    Is it possible that the System.Security.AccessControl.FileSystemAccessRule is not being interpreted properly, but I did manually specify each item and it still failed.

    So frustrating

    Thursday, June 11, 2020 1:53 PM
  • If you posted your code correctly then people might be able to see your mistakes.  As posted it is mostly unreadable which forces people to guess.

    Please read the following links and fix your original post.


    \_(ツ)_/

    • Marked as answer by DougHK Friday, June 12, 2020 12:50 PM
    Thursday, June 11, 2020 5:52 PM
  • You are using the wrong variable. Use the folder acl, not the acl rule. 

    Set-acl -Path $FilePath -aclObject $Fldracl 

    Thursday, June 11, 2020 11:36 PM
  • Thanks jrv I did not see that.  That fixed that issue, but now I have an Identity Reference issue, but I think I am on the track of that problem.
    Friday, June 12, 2020 12:52 PM