locked
Set-Acl fails in V3 RRS feed

  • Question

  • I have a script that was working in V2 but fails in V3 when calling Set-Acl:

    Set-Acl : Cannot set the ACL because the method that it needs to invoke, SetSecurityDescriptor, does not exist

    Is there a different way to set file permissions in V3?

    Friday, April 26, 2013 1:49 PM

Answers

All replies

  • I just tested:

    $acl = get-acl c:\file.txt

    set-acl -path C:\file2.txt -aclobject $acl

    and it was fine. Are you doing a similar thing?


    G. Samuel Hays

    Friday, April 26, 2013 2:02 PM
  • Pretty much. Here's the snippet:

        $acl = Get-Acl $binDir
        $rights = [System.Security.AccessControl.FileSystemRights] "ReadAndExecute"
        $rightType = [System.Security.AccessControl.AccessControlType]::Allow
        $user = New-Object System.Security.Principal.NTAccount($username)
        $inheritFlags = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit,ObjectInherit"
        $propagationFlags = [System.Security.AccessControl.PropagationFlags]::None
        $ace = New-Object System.Security.AccessControl.FileSystemAccessRule ($user, $rights, $inheritFlags, $propagationFlags, $rightType)
        $acl.AddAccessRule($ace)
        Set-Acl $binDir $acl

    Friday, April 26, 2013 2:10 PM
  • Actually, this fails for me (my original script is also doing the work in a separate shell, and using Resolve-Path - if I eliminate either one of those the script works in V3):

    powershell -command {
      $path = "c:\temp"
      $path = Resolve-Path $path
      $acl = Get-Acl $path
      Set-Acl $path $acl
    }

    Friday, April 26, 2013 2:59 PM
  • Adding -version 2.0 also works for this simple script, but causes other problems in my original script (which I won't go into here):

    powershell -version 2.0 -command {
      $path = "c:\temp"
      $path = Resolve-Path $path
      $acl = Get-Acl $path
      Set-Acl $path $acl
    }

    Friday, April 26, 2013 3:29 PM
  • Get-acl and Set-ACL are pretty rough regardless of the version, check out the module from Raimund Andree here:

    http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85


    Hope that helps! Jason

    • Marked as answer by Yan Li_ Monday, May 6, 2013 2:58 AM
    Friday, April 26, 2013 3:39 PM
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

     

    If you have any feedback on our support, please click here .

     


    Cataleya Li
    TechNet Community Support

    Monday, April 29, 2013 6:01 AM
  • It doesn't inspire confidence in the Powershell platform when the answer is essentially "The built in commands are flaky - go get a community-provided module".

    Thanks anyway.

    Monday, May 6, 2013 1:45 PM
  • This issue(?) is still around on Server 2012 R2..

    You cannot use this command without specifying the properties;

    set-acl $bindir $acl

    the following worked for me;

    set-acl -Path $bindir -AclObject $acl

    Monday, March 10, 2014 2:43 AM
  • This fixed this script for me, and saved my day: http://community.spiceworks.com/scripts/show/2048-change-permissions-to-ntfs-folders-using-the-folder-name
    Friday, April 4, 2014 7:18 PM
  • This seems to have done the trick for me too - many thanks!
    Friday, April 4, 2014 7:22 PM
  • It wasn't specifically called out in this thread, but I assume that $binDir is a DirectoryInfo object that you obtained via Get-Item or something like that.  When you call Set-Acl with positional parameters and pass a DirectoryInfo object (or basically any non-string object), it binds to the -InputObject parameter instead of -Path.

    As has been pointed out, you can avoid this binding hiccup by specifying the -Path parameter by name (or by casting your $binDir variable to a string, or passing in $binDir.FullName to Set-Acl), instead of passing the DirectoryInfo object by position. You can also call $acl | Set-Acl in all versions, if you obtained $acl from the Get-Acl cmdlet (the Path parameter will bind by property name, and AclObject will bind by value.)

    Friday, April 4, 2014 7:44 PM
  • Makes perfect sense. I guess a better error message in this case would help diagnose potential argument binding problems. Thanks
    Friday, April 4, 2014 9:05 PM