ACL with Powershell System.Security.AccessControl

PowerShell Help
1

Hello Powershell Community,

I’m trying to give ACL to a folder with this script :

# add a new permission
$user = "$HostName\Administrator"
$InheritanceFlags=”ContainerInherit,ObjectInherit”
$FileSystemAccessRights="Traverse,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ReadPermissions"
$PropagationFlags=”None”
$AccessControl=”Allow”
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(@($user), @($InheritanceFlags), @($PropagationFlags), @($AccessControl), @($FileSystemAccessRights))
#$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Hostname\Administrator",$FileSystemAccessRights)

$acl.SetAccessRule($rule)

# set new permissions
$path1.SetAccessControl($acl)

The Only thing i have is an error :
new-object : cannot find an overload for “FileSystemAccessRule” and the argument 4

I’dont know why… thx for help.

2

You need to create NTAccount object and pass that instead of “Domain\User” string, and there is no need to convert variables to array, ex:

$NTAccount = New-Object -TypeName System.Security.Principal.NTAccount($Hostname, "Administrator")
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($NTAccount, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl)

To make these lines shorter at the very top of your script put this line:

# This must first line in your script
using namespace System.Security

Then you can omit namespace and simply write:

$Rule = New-Object AccessControl.FileSystemAccessRule(/*...*/)

For more information about this constructor see:

For more information about FileSystemAccessRule Class see:

3

Hello MetaBlaster ^^

Thx you so much ^^ it’s working fine !

And how to disable Inheritance and replace all Child object permission… ?
I don’t understand very much this part…

4

I’m not 100% sure but I think it should look like this:

using namespace System.Security

$LiteralPath = "C:\TestFolder"
$AccessControl = "Allow"

[AccessControl.InheritanceFlags] $InheritanceFlags = "ContainerInherit, ObjectInherit"
[AccessControl.PropagationFlags] $PropagationFlags = "NoPropagateInherit"

$NTAccount = New-Object Principal.NTAccount($Hostname, "Administrator")
$Rule = New-Object AccessControl.FileSystemAccessRule($NTAccount, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl)

$Acl = Get-Acl -LiteralPath $LiteralPath
$Acl.SetAccessRuleProtection($true, $false)
$Acl.SetAccessRule($rule)

Set-Acl -AclObject $Acl -LiteralPath $LiteralPath -ErrorAction Stop

In any case you’ll need to write for loop if you want to recursively set permissions, the API does not expose recursive functionality.

I suggest that you read MS documentation I gave you, it explains things in details and gives some sample code that you need to convert to PS to learn more.

WARNING
Make sure you do not test your code for real against operating system diretory tree, if something gets wrong in most cases there is no way to recover, always do this againt test folders.

5

Hello MetaBlaster ^^

Thx again for your help !
I will read it :wink:

Have nice day !