locked
What is the best way to use PowerShell to apply NTFS Permissions RRS feed

  • Question

  • Folks,

    I have a script that now can create folders and shares. I would like to add NTFS permissions to the list of operations applied. The NTFS permissions for one folder C:\Test0 is given by the following expression.

    $NTFS_permissions
    "Nash\UTLPLN-NAS-PROD-RW","Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize","ContainerInherit, ObjectInherit","None","Allow"
    "Nash\UTLPLN-NAS-PROD-RO",Traverse,Executefile,ListDirectory,ReadData,ReadPermissions,Synchronize","ContainerInherit, ObjectInherit","None","Allow"

    When I try to apply the permissions to the folder using a ForEach loop the process throws errors.

    PS C:\>        ForEach($NTFS in $NTFS_Permissions)  
           
                { 
                       $Perm = $NTFS
                       $ACL = Get-ACL $ShareLocation
                       $Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Perm
                       $ACL.SetAccessRule($Rule)
                       $ACL | Set-Acl $ShareLocation
                } 
    New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "1".
    At line:6 char:28
    + ...     $Rule = New-Object -TypeName System.Security.AccessControl.FileSy ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
        + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
     
    New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "1".
    At line:6 char:28
    + ...     $Rule = New-Object -TypeName System.Security.AccessControl.FileSy ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
        + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

    However, if I discretely put in the permissions there is no error. 

    PS C:\>             { 
                       $Perm = "Nash\UTLPLN-NAS-PROD-RW","Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize","ContainerInherit, ObjectInherit","None","Allow"
                       $ACL = Get-ACL $ShareLocation
                       $Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Perm
                       $ACL.SetAccessRule($Rule)
                       $ACL | Set-Acl $ShareLocation
                } 
     
                       $Perm = "Nash\UTLPLN-NAS-PROD-RW","Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize","ContainerInherit, ObjectInherit","None","Allow"
                       $ACL = Get-ACL $ShareLocation
                       $Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Perm
                       $ACL.SetAccessRule($Rule)
                       $ACL | Set-Acl $ShareLocation
                
    
    PS C:\>             { 
                       $Perm = "Nash\UTLPLN-NAS-PROD-RO","Traverse,Executefile,ListDirectory,ReadData,ReadPermissions,Synchronize","ContainerInherit, ObjectInherit","None","Allow"
                       $ACL = Get-ACL $ShareLocation
                       $Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Perm
                       $ACL.SetAccessRule($Rule)
                       $ACL | Set-Acl $ShareLocation
                } 
     
                       $Perm = "Nash\UTLPLN-NAS-PROD-RO","Traverse,Executefile,ListDirectory,ReadData,ReadPermissions,Synchronize","ContainerInherit, ObjectInherit","None","Allow"
                       $ACL = Get-ACL $ShareLocation
                       $Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Perm
                       $ACL.SetAccessRule($Rule)
                       $ACL | Set-Acl $ShareLocation
    I just understand why I get the error. Thanks in advance for your assistance.

    Monday, August 5, 2019 7:42 PM

Answers

  • I would do it like this:

    $p = @{
        Account = 'Nash\UTLPLN-NAS-PROD-RW'
        Permissions = 'Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize'
        Inheritance = 'ContainerInherit, ObjectInherit'
        Propagation = 'None'
        Type = 'Allow'
    }
    $acl = [System.Security.AccessControl.FileSystemAccessRule]::New($p.Account,$p.Permissions,$p.Inheritance,$p.Propagation,$p.Type)
    


    \_(ツ)_/

    • Marked as answer by jrv Wednesday, August 7, 2019 10:52 PM
    Tuesday, August 6, 2019 4:15 AM

All replies

  • The error is because your code is wrong.

    If you search you will find numerous blogs and documents that will show how to change permissions in NTFS.

    First you cannot use an array to initialize an object.  You must use a full specification.

    If you do it this way you will not have that problem.

    New-Object  System.Security.AccessControl.FileSystemAccessRule(
        'Nash\UTLPLN-NAS-PROD-RW',
        'Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize',
        'ContainerInherit, ObjectInherit',
        'None',
        'Allow'
    )


    \_(ツ)_/

    Tuesday, August 6, 2019 4:07 AM
  • I would do it like this:

    $p = @{
        Account = 'Nash\UTLPLN-NAS-PROD-RW'
        Permissions = 'Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize'
        Inheritance = 'ContainerInherit, ObjectInherit'
        Propagation = 'None'
        Type = 'Allow'
    }
    $acl = [System.Security.AccessControl.FileSystemAccessRule]::New($p.Account,$p.Permissions,$p.Inheritance,$p.Propagation,$p.Type)
    


    \_(ツ)_/

    • Marked as answer by jrv Wednesday, August 7, 2019 10:52 PM
    Tuesday, August 6, 2019 4:15 AM
  • You can batch them like this:

    $rules = @(
        @{
            Account = 'Nash\UTLPLN-NAS-PROD-RW'
            Permissions = 'Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions,Synchronize'
            Inheritance = 'ContainerInherit, ObjectInherit'
            Propagation = 'None'
            Type = 'Allow'
        }
        # add more rules
    )
    
    foreach($p in $rules){
        $acl = Get-ACL $ShareLocation
        $ace = [System.Security.AccessControl.FileSystemAccessRule]::New($p.Account,$p.Permissions,$p.Inheritance,$p.Propagation,$p.Type)
        $acl.AddAccessRule($ace)
        $acl | Set-Acl $ShareLocation
    }


    \_(ツ)_/


    • Edited by jrv Tuesday, August 6, 2019 4:25 AM
    Tuesday, August 6, 2019 4:20 AM
  • JRV,

    I appreciate the time you took to correct me and this is how I can learn to be better with PowerShell.

    -John Strode

    • Marked as answer by John Strode Wednesday, August 7, 2019 10:49 PM
    • Unmarked as answer by jrv Wednesday, August 7, 2019 10:51 PM
    Wednesday, August 7, 2019 1:18 AM