locked
PS $ACL Error RRS feed

  • Question

  • Hello,

    I am attempting create a basic Powershell command to reset permissions on all subfolders within a project directory.  So far I have the following.  So any folder/files under the "12000" folder Domain Users will have Modify permissions set.

    $directory = "Q:\Projects\GRP\12\12000"
    $acl = Get-childitem $directory | get-acl
    $permission = "Domain_Name\Domain Users", "Modify", "Allow"
    $accessRule = new-object system.security.AccessControl.FileSystemAccessRule $permission
    $acl.AddAccessRule($accessRule)
    set-acl -aclobject $acl $directory

    When I attempt to run the powershell I receive the following errors:

    Meothod invocation failed because [System.Object[]] doesn't contain a method named 'AddAccessRule'.

    then...

    Set-Acl: Cannot convert 'System.Object[]' to the type 'SystemSecurity.AccessControl.ObjectSecurity' required by parameter 'AclObject'. Specified methodis not supported.

    Thank you for any suppor provided.

    Tuesday, August 28, 2012 2:13 PM

Answers

  • Start by using th e help system to see how Set-Acl works.

    help set-acl -full

    next explore teh repository and look at thos the code works.  Ther eae some scipts that can do what you are trying to do.

    http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=security&f%5B0%5D.Text=Security&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=dacls&f%5B1%5D.Text=DACLs

    You need to also lewarn how file system security works in Windows.  YOu are trying to replace all security with a single ACE which is not likely to work.  Yu need to account for inheritance and for ownership.  What you are trying to do will likely make the whole folder set unusable.  What you want to do is to set the access at thw root and propagate it.  When you set it you want it to be added to the root and not have it replace the root security.

    We cannot know how to alter the security on your files because we do not know how it is set. I recommend just using the GUI to add Domain Users to teh root folder and select to apply to all files and folders.  This can be done in one step with teh GUI and will work as long as inheritance has not been blocked.  If it has then you need to discover why.  It is either a mistake becuse you have previously and poorly altered the secutity or it is becuse someone or some process require exclusivy access.  Only you or your system admins can determine what the case is.

    Here is one set of utilites with some explanation:

    http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

    Here are some basics of file system security. Without this you cannot know how to alter the file system security:

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff556612(v=vs.85).aspx

    File System Security is a very tricky business in WINdos.  Yu should not alter it without a clear understanding of what can happen.  Scripting a bad change across all folders can make a system unnusable.

    All of that said try adding the rule in a correct order

    # build a rule
    $permission = "Domain_Name\Domain Users", "Modify", "Allow"
    $ace = new-object system.security.AccessControl.FileSystemAccessRule $permission
    # select a folder ACL
    $directory = "Q:\Projects\GRP\12\12000"
    $acl=get-acl $directory
    # Add the new rile
    $acl.AddAccessRule($ace)
    # set the rul on the folder
    set-acl -aclobject $acl -Path $directory

    If this fails it is because the ACL already has an incompatibility with what you are trying to do.  The error message wil be very explicit as to what the issues.  Only the AddAccessRul or the Set-Acl will cause an error.  This will tell you what to do next.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, August 28, 2012 2:56 PM
    • Marked as answer by IT_Vision Tuesday, August 28, 2012 4:53 PM
    Tuesday, August 28, 2012 2:54 PM

All replies

  • Your problem is that $acl is an array of acl's, and so doesn't have this method.  Any one of the members does, though.

    Change this line:

    $acl.AddAccessRule($accessRule)

    to:

    $acl | % { $_.AddAccessRule($accessRule) }


    Grant Ward, a.k.a. Bigteddy


    • Edited by Bigteddy Tuesday, August 28, 2012 2:46 PM
    Tuesday, August 28, 2012 2:46 PM
  • Start by using th e help system to see how Set-Acl works.

    help set-acl -full

    next explore teh repository and look at thos the code works.  Ther eae some scipts that can do what you are trying to do.

    http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=security&f%5B0%5D.Text=Security&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=dacls&f%5B1%5D.Text=DACLs

    You need to also lewarn how file system security works in Windows.  YOu are trying to replace all security with a single ACE which is not likely to work.  Yu need to account for inheritance and for ownership.  What you are trying to do will likely make the whole folder set unusable.  What you want to do is to set the access at thw root and propagate it.  When you set it you want it to be added to the root and not have it replace the root security.

    We cannot know how to alter the security on your files because we do not know how it is set. I recommend just using the GUI to add Domain Users to teh root folder and select to apply to all files and folders.  This can be done in one step with teh GUI and will work as long as inheritance has not been blocked.  If it has then you need to discover why.  It is either a mistake becuse you have previously and poorly altered the secutity or it is becuse someone or some process require exclusivy access.  Only you or your system admins can determine what the case is.

    Here is one set of utilites with some explanation:

    http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

    Here are some basics of file system security. Without this you cannot know how to alter the file system security:

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff556612(v=vs.85).aspx

    File System Security is a very tricky business in WINdos.  Yu should not alter it without a clear understanding of what can happen.  Scripting a bad change across all folders can make a system unnusable.

    All of that said try adding the rule in a correct order

    # build a rule
    $permission = "Domain_Name\Domain Users", "Modify", "Allow"
    $ace = new-object system.security.AccessControl.FileSystemAccessRule $permission
    # select a folder ACL
    $directory = "Q:\Projects\GRP\12\12000"
    $acl=get-acl $directory
    # Add the new rile
    $acl.AddAccessRule($ace)
    # set the rul on the folder
    set-acl -aclobject $acl -Path $directory

    If this fails it is because the ACL already has an incompatibility with what you are trying to do.  The error message wil be very explicit as to what the issues.  Only the AddAccessRul or the Set-Acl will cause an error.  This will tell you what to do next.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, August 28, 2012 2:56 PM
    • Marked as answer by IT_Vision Tuesday, August 28, 2012 4:53 PM
    Tuesday, August 28, 2012 2:54 PM
  • Here is the prederred method for building an ace and setting the values.  It accounts for the flags and handles the arguments correctly.

    # build a rule
    $directory = "Q:\Projects\GRP\12\12000"
    $ntaccount="Domain_Name\Domain Users"
    $ntaccount=New-Object System.Security.Principal.NTAccount('Domain\Domain Users')
    $rights='Modify'
    $inherit=[System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagate=[System.Security.AccessControl.PropagationFlags]::InheritOnly
    $type='Allow'
    $ace=New-Object System.Security.AccessControl.FileSystemAccessRule($ntaccount, $rights, $inherit, $propagate, $type)
    # select a folder ACL
    $acl=get-acl $directory
    # Add the new rile
    $acl.AddAccessRule($ace)
    # set the rul on the folder
    set-acl -aclobject $acl -Path $directory


    ¯\_(ツ)_/¯

    • Proposed as answer by Bigteddy Tuesday, August 28, 2012 3:15 PM
    Tuesday, August 28, 2012 3:12 PM
  • Excellent, thank you jrv.  This give me great information to work with.  Much appreciated.
    • Marked as answer by IT_Vision Tuesday, August 28, 2012 4:53 PM
    • Unmarked as answer by IT_Vision Tuesday, August 28, 2012 4:53 PM
    Tuesday, August 28, 2012 4:53 PM