none
Problem enabling inheritance RRS feed

  • Question

  • Hi there!

    I've been coding 8 hours for a little script for change the audit rules of a folder tree, and I doesn't understand yet how SetAuditRuleProtection works. This snippet is pretty simple:

    $Acl = Get-Acl $Object.FullName -Audit

    $Acl.SetAuditRuleProtection($false, $false)

    $Acl | Set-Acl # Or $Acl | Set-Acl $Object.FullName, same behavior

    This not enable the inheritance in the object $Object, why? What am I doing wrong? I am very frustrated with this :(

    Even when I have the button "Disable inheritance" in the Auditing tab of the object (it means that inheritance is enabled, I think), the audit rules from parent doesn't appears until I modify this (create a rule, delete the rule [no changes at all], apply should work).

    It's annoying :(

    Sorry for my bad English



    Thursday, February 12, 2015 10:30 AM

Answers

  • I'm pretty sure you're not doing anything wrong. It looks like there's a bug in the underlying .NET security classes when you have a null or empty SACL (audit ACE list). When the SACL is empty, trying to set the security descriptor doesn't appear to honor the inheritance setting.

    To work around the issue, you can add a dummy ACE if the SACL is empty, change the inheritance setting, and then remove the dummy ACE if it was added. Something like this should work:
    $path = "C:\path_to_object"
    
    # Get ACL w/ SACL
    $acl = Get-Acl $path -Audit
    
    # If SACL is empty, add a rule to it...
    $dummyAce = $null  # Need to know later if this was used
    if ($acl.Audit.Count -eq 0) {
    	$dummyAce = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","TakeOwnerShip","Success") # It doesn't matter what this is...
    	$acl.AddAuditRule($dummyAce)
    }
    $acl.SetAuditRuleProtection($false, $false)
    $acl | Set-Acl
    
    # Cleanup if $dummyAce was used earlier
    if ($dummyAce) {
    	$acl = Get-Acl $path -Audit
    	$acl.RemoveAuditRuleSpecific($dummyAce)
    	$acl | Set-Acl
    }
    You can make that into a function that just takes a path if you'd like the part of your script that uses this to look cleaner.
    Friday, February 13, 2015 2:02 AM

All replies

  • $f=Get-Item C;\test
    $acl=$f.GetAccessControl('Audit')
    $acl.SetAccessRuleProtection($false,$false)
    $f.SetAccessControl($acl)


    ¯\_(ツ)_/¯

    Thursday, February 12, 2015 3:47 PM
  • I'm pretty sure you're not doing anything wrong. It looks like there's a bug in the underlying .NET security classes when you have a null or empty SACL (audit ACE list). When the SACL is empty, trying to set the security descriptor doesn't appear to honor the inheritance setting.

    To work around the issue, you can add a dummy ACE if the SACL is empty, change the inheritance setting, and then remove the dummy ACE if it was added. Something like this should work:
    $path = "C:\path_to_object"
    
    # Get ACL w/ SACL
    $acl = Get-Acl $path -Audit
    
    # If SACL is empty, add a rule to it...
    $dummyAce = $null  # Need to know later if this was used
    if ($acl.Audit.Count -eq 0) {
    	$dummyAce = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","TakeOwnerShip","Success") # It doesn't matter what this is...
    	$acl.AddAuditRule($dummyAce)
    }
    $acl.SetAuditRuleProtection($false, $false)
    $acl | Set-Acl
    
    # Cleanup if $dummyAce was used earlier
    if ($dummyAce) {
    	$acl = Get-Acl $path -Audit
    	$acl.RemoveAuditRuleSpecific($dummyAce)
    	$acl | Set-Acl
    }
    You can make that into a function that just takes a path if you'd like the part of your script that uses this to look cleaner.
    Friday, February 13, 2015 2:02 AM
  • @jrv, thanks for reply, but doesn't works.

    @Rohn, just yesterday late I modified the function that activate the inheritance, and works, but I do not know why. Your reply answers perfectly my doubts, a damn bug!

     $DummyRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Administrators", "Write, Read", "None", "None", "Success")
    $Acl = Get-Acl $Object.FullName -Audit
    $Acl.SetAuditRuleProtection($false, $false)
    $Acl | Set-Acl
    $Acl = Get-Acl $Object.FullName -Audit
    $Acl.AddAuditRule($DummyRule)
    $Acl.SetAuditRuleProtection($false, $false)
    $Acl | Set-Acl
    $Acl = Get-Acl $Object.FullName -Audit
    $Acl.RemoveAuditRule($DummyRule) | Out-Null
    $Acl.SetAuditRuleProtection($false, $false)
    $Acl | Set-Acl

    I've executed into 3 Set-Acl just for ensure :D,

    thank you very much

    Friday, February 13, 2015 8:09 AM