GET-ACL, SET-ACL

GET-ACL, SET-ACL

Post by IT STAF » Tue, 29 Jul 2008 17:56:52


Usually i would do a $permission = Get-ACL -Path "d:\xxx", and then apply a
Set-Acl $dir -AclObject $permission

However i would like it to be more grandular.

Eg can i do a get-acl -path "d:\xxx" Administrators only ? Then i do a
set-acl $dir -aclobject adminisrators full control ?

Can the above be done ?
 
 
 

GET-ACL, SET-ACL

Post by Marco Shaw » Tue, 29 Jul 2008 21:19:37


An example of creating your own rule object, then applying it:

PS>$permission=new-object
System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow")
PS>set-acl $dir -acl $permission

Or, you can just do something like this:
PS>$acl=get-acl .
PS>$permission=$acl.access[0] <--You just need to determine if element 0
is the one you're looking for by displaying it or "inspecting" it if the
element can be dynamic.

Dynamic element #:
PS>$permission.access|where{$_.IdentityReference -eq
"BUILTIN\Administrators"}

Marco

--
*Microsoft MVP - Windows Server - Admin Frameworks
https://mvp.support.microsoft.com/profile/Marco.Shaw
*PowerShell Co-Community Director - http://www.yqcomputer.com/
*Blog - http://www.yqcomputer.com/

 
 
 

GET-ACL, SET-ACL

Post by IT STAF » Wed, 30 Jul 2008 17:56:38


Marco

Don't quite understand.


$dir = d:\test (i've made this folder does not inherit from d:\ drive, and
make the default administrators having modify permission only)

' Now i wish to apply administrators fullcontrol onto the d:\test

PS>$permission=new-object
System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow")
PS>set-acl $dir -acl $permission

Set-Acl : Cannot bind parameter 'AclObject'. Cannot convert
"System.Security.AccessControl.FileSystemAccessRule" to "Sy
stem.Security.AccessControl.ObjectSecurity".
At line:1 char:21
+ set-acl d:\test -acl <<<< $permission
 
 
 

GET-ACL, SET-ACL

Post by x0 » Fri, 01 Aug 2008 05:26:10


Hi,

I think Marco dropped a step by accident; you need to add the new rule
to the old ACL before assigning it back:

ps >> $acl = get-acl c:\temp
ps >> $rule = new-object security.accesscontrol.filesystemaccessrule
"guest","fullcontrol","deny"
ps >> $acl.addaccessrule($rule)
ps >> $acl | set-acl c:\temp

step 4 could be replaced with:

ps >> set-acl -path c:\temp -aclobject $acl

Hope this helps,

- Oisin