Use Set-SecurityDescriptor from Module PowerShellAccessControl to set SDDL

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Simptnon7 Simptnon7 11 months, 1 week ago.

  • Author
  • #32094
    Profile photo of Simptnon7

    with the code below I can set the acls of an directory with an sddl string:

    $theSddl = "O:S-1-5-21-......-......-.......-1000G:S-1-5-21-.....-.......-........-
    $SD = New-AdaptedSecurityDescriptor -Sddl $theSddl -Path $thePath -AccessMaskEnumeration ([PowerShellAccessControl.WmiNamespaceRights]) 
    Set-SecurityDescriptor -SDObject $SD -Path $thePath -Force

    but the problem is the rights are not set correctly as they were at the source folder.
    The network user has special rights after setting the sddl instead of the only right to execute the folder.

    Module: PowerShellAccessControl

    With the this method

    $aclObj = Get-Acl $thePath
    Set-Acl -Path $thePath -AclObject $aclObj

    it works correctly, but this is not compatible with path name lengths longer than 260.

  • #32097
    Profile photo of Rohn Edwards
    Rohn Edwards

    The problem is that New-AdaptedSecurityDescriptor is creating a security descriptor for an object that can't contain children, i.e., a file. That means that the flags that are contained for all of the ACEs in the SDDL string are ignored, and each ACE is set to apply only to the object.

    In this case, the NETWORK account ACE is the only one that's explicitly set, so it's the only one being applied to the destination folder, so it's the only one that appears to be incorrect. The underlying SD has all of the ACEs with incorrect flags, though.

    To fix it, you need to create a SD for a container. To do that, use the -IsContainer flag when calling New-AdaptedSecurityDescriptor:

    $SD = New-AdaptedSecurityDescriptor -Sddl $theSddl -IsContainer
    Set-SecurityDescriptor -SDObject $SD -Path $thePath -Force
  • #32139
    Profile photo of Simptnon7

    Thank you very much for your detailed answer, it works!

You must be logged in to reply to this topic.