Set-Acl -> Access denied

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 3 months ago.

  • Author
    Posts
  • #5925

    by roovee at 2012-09-21 04:43:43

    Hy all

    I created a powershellscript, which delete folder permissions and set new ones on the userprofile folder, which is stored on a fileserver. The permissions of the user are not inherited, they are directly set on it.

    The script works fine as long the flag "Inlcude inheritable permissions from this object's parent" is set. If i remove the flag an choice "add" then following error message is shown after script running:

    ERROR: Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

    set_ntfs_folder_permissions.ps1 (55): ERROR: At Line: 55 char: 16

    ERROR: + Set-ACL < <<< $SNA_Profilshare $ACL ERROR: + CategoryInfo : PermissionDenied: (\\wma271740\c$\test\marcgenn:String) [Set-Acl], PrivilegeNotHeldException ERROR: + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand ERROR: ACE für prod\marcgenn auf \\wma271740\c$\test\marcgenn erfolgreich entfernt ERROR: Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation. set_ntfs_folder_permissions.ps1 (83): ERROR: At Line: 83 char: 8 ERROR: + Set-ACL < <<< $SNA_Profilshare $acl ERROR: + CategoryInfo : PermissionDenied: (\\wma271740\c$\test\marcgenn:String) [Set-Acl], PrivilegeNotHeldException ERROR: + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand Script:
    #Global Parameter
    $Profilserver = "\\wma271740\c$\test"
    #Get Directory Folders
    $folders = Get-ChildItem -Path $Profilserver | Where-Object {$_.psIsContainer -eq $true} | Select-Object name

    #Logfile PRofilserver and Folders
    #####################################start_script#########################################################
    $logfile_Profileserver = "c:\temp\log_profle.txt"
    get-date | set-content $logfile_Profileserver

    "Profilserver: $Profilserver" | Add-content $logfile_Profileserver
    foreach ($log_folder in $folders)
    {
    $log_folder.name | Add-content $logfile_Profileserver
    }
    #######################################end_script#########################################################

    #Function set new acl

    function setnewacl($SNA_folder,$SNA_Profilserver)
    {
    #Logfile
    ##########start##########
    $logfile_Profileserver_Action = "c:\temp\log_profile_action.txt"
    get-date | add-content $logfile_Profileserver_Action
    "SNA_Folder: $SNA_folder" | Add-Content $logfile_Profileserver_Action
    "SNA_Profileserver: $SNA_Profilserver" | Add-Content $logfile_Profileserver_Action
    ##########end##########

    #ACL remove
    #####################################start_script#########################################################
    $SNA_Profilshare = $("$SNA_Profilserver\$SNA_folder")
    $IdentityRef = $("prod\$SNA_folder") #User oder Group

    #Logfile
    ##########start##########
    "SNA_Profilshare: $SNA_Profilshare" | Add-Content $logfile_Profileserver_Action
    "IdentityRef: $IdentityRef" | Add-Content $logfile_Profileserver_Action
    ##########end##########

    $ACL = Get-ACL $SNA_Profilshare
    $ACEs=(Get-Acl $SNA_Profilshare).Access | where {$_.IdentityReference -eq $IdentityRef}
    $ACEs | foreach{
    try
    {
    $null=$ACL.RemoveAccessRule($_)
    Set-ACL $SNA_Profilshare $ACL
    "`r`n ACE für $IdentityRef auf $SNA_Profilshare erfolgreich entfernt" | Add-Content $logfile_Profileserver_Action
    "ACE für $IdentityRef auf $SNA_Profilshare erfolgreich entfernt"
    }
    catch
    {
    "`r`n keine ACE für $IdentityRef auf $SNA_Profilshare vorhanden" | Add-Content $logfile_Profileserver_Action
    "keine ACE für $IdentityRef auf $SNA_Profilshare vorhanden"
    }
    }
    #####################################end_script#########################################################

    #ACL define and set
    #####################################start_script#########################################################

    #Define Parameters
    $person = [System.Security.Principal.NTAccount]“Prod\$SNA_folder“
    $access = [System.Security.AccessControl.FileSystemRights]“Modify“
    $inheritance = [System.Security.AccessControl.InheritanceFlags]“containerInherit,ObjectInherit”
    $propagation = [System.Security.AccessControl.PropagationFlags]“none“
    $type = [System.Security.AccessControl.AccessControlType]“Allow“
    $acl = Get-Acl $SNA_Profilshare

    #create the accessrule object based on the previous parameters.
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($person,$access,$inheritance,$propagation,$type)

    #add the new access rule to the existing ACL so that the inherited permissions are still there.
    $acl.AddAccessRule($accessRule)
    Set-ACL $SNA_Profilshare $acl

    " `r`n ##############Ende#################### `r`n" | Add-Content $logfile_Profileserver_Action
    #####################################end_script#########################################################
    }

    foreach ($folder in $folders)
    {
    setnewacl $folder.name $Profilserver;
    }

    by poshoholic at 2012-09-21 07:44:01

    You can adjust the permissions for the current token, and that should allow you to do what you are trying to do. See Lee Holmes' blog post with a script that allows for token privilege adjustment here:
    http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/

    by roovee at 2012-09-24 02:23:46

    Thanks for your answer.

    I could solve the problem. The reason was according to the described solution from "poshoholic".
    The powershell console, respectively my powershell editor has to start "as administrator".
    Because my user is part of the local administrator group i didn't this and there were not loaded all needed token privileges.
    So finally the described solution from "poshoholic" was not necessary in this case, but very helpful to find out the problem.

    you can check the privileges whith the command "whoami /priv" on the powershell console.

    Thanks for the help.

You must be logged in to reply to this topic.