Set-ACL...special Permissions

Welcome Forums General PowerShell Q&A Set-ACL...special Permissions

This topic contains 1 reply, has 2 voices, and was last updated by

 
Participant
1 week, 5 days ago.

  • Author
    Posts
  • #138892

    Participant
    Points: 55
    Rank: Member

    I have noticed that in production, when I give a user Full Control ACL permissions, it shows up as 'Special Permissions' from within Windows Properties (Right click folder -> Properties -> Security) as 'Special Permissions'.  ACL output does reflect Fullcontrol.  Should I disregard and be confident the user(s) do in fact have Full Control?

     

    Reproduced the issue here:

    $permission = "w10-bchome\bri","FullControl", "Allow"
    $Path = "c:\Utility\test"
    $acl = get-acl $Path
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($AccessRule)
    $Acl | Set-Acl $Path

     

    $ACL Output

    Path : Microsoft.PowerShell.Core\FileSystem::C:\Utility\test
    Owner : W10-BCHOME\bclanton
    Group : W10-BCHOME\None
    Access : NT AUTHORITY\SYSTEM Allow FullControl
    W10-BCHOME\Administrator Allow FullControl
    W10-BCHOME\bclanton Allow FullControl
    W10-BCHOME\bri Allow FullControl
    Audit :
    Sddl : O:S-1-5-21-1073379331-2122356694-3448876220-1001G:S-1-5-21-1073379331-2122356694-3448876220-513D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;LA)(A;OICI;FA;;;S-1-5-21-1073379331-2122356694-3448876220-1
    001)(A;;FA;;;S-1-5-21-1073379331-2122356694-3448876220-1002)

    When I right click the folder, it just shows "Special Permissions".

    What I want to do is give them full permissions of the folder and sub folders and files.   The special permission only gives them full control of the folder.

  • #138907

    Participant
    Points: 781
    Helping Hand
    Rank: Major Contributor

    Inheritance settings are key. Remember even in that GUI, it will not populate downward, until you tell it to, which is of course a separate selection in the GUI as well.

    As for this....

    What I want to do is give them full permissions of the folder and sub folders and files. The special permission only gives them full control of the folder.

    Consider using this module to ease this for you...

    File System Security PowerShell Module 4.2.4
    Allows a much easier management of permissions on files and folders using PowerShell
    https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

    ... or using the info here

    https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

    See also:

    Windows PowerShell Tip of the Week
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ff730951(v=technet.10)

    So, it means you end up with having to do stuff like this sample... (but again, that module above is easier IMHO)

    $user = "$env:USERDOMAIN\$env:USERNAME"
    $dfsfolder = "\\servername\c$\folder"
    $acl = get-acl -path $dfsfolder
    $new=$user,'FullControl','ContainerInherit,ObjectInherit','None','Allow'
    $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new
    $acl.AddAccessRule($accessRule)
    $acl | Set-Acl $dfsfolder
    

You must be logged in to reply to this topic.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort