Running icacls in script not working correctly with /grant

I have a script that will be used to reset permissions and I am having a problem only with one icacls command. Everything else works like a charm, this one just doesn’t: &$cmdSetUserFullPerms which is set as $cmdSetUserFullPerms = “icacls " + '”’ + $usershareParent + ‘"’ + " /grant " + ‘"’ + $username + ‘"’ + “:F”

I’ve played around a few times and can’t get it to work. Below is the entire script:


############################################
# Reset Permissions
############################################

# Test for subinacl application
if (-not (test-path c:\ResetSharePermissions\subinacl.exe))
    {
        [System.Windows.Forms.MessageBox]::Show("ERROR: Missing 'C:\ResetSharePermissions\subinacl.exe'
                Install file and rerun script")
    }
else
    {
        $subinaclExists = "yes"
    }
# Test for usernames.csv file
if (-not (test-path c:\ResetSharePermissions\usernames.csv))
    {
        [System.Windows.Forms.MessageBox]::Show("ERROR: Missing 'C:\ResetSharePermissions\usernames.csv'
                Add missing file and rerun script")
    }
else
    {
        $usernamesExists = "yes"
    }
# --------------------------------------------------

#Validate two files exist and run script
if ($usernamesExists -eq "yes" -And $subinaclExists -eq "yes")
    {
        # **BEGIN PROCESSING**
        # --------------------------------------------------
        # Prompt for share path
        $sharepath = Read-Host -Prompt "Input path name
            ex: c:\users\ or \\servername\share\subfolder\
            Ensure to include \ at the end of your path."
        # Create variable to test for last backslash '\' in share path
        $a=$sharepath
        $a=$a.substring($a.length -1, 1)
        # Add missing backslash from end of path
        if ($a -ne "\")
            {
                $sharepath = $sharepath + "\"
            }

        # --------------------------------------------------
        # Get current Date-Time
        $dte = get-date -f yyyy-MM-dd_HHmm
        "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
        "****Starting to reset permissions: " + $dte >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
        "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
        "****Inputed Share Path: " + $sharepath   >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1

        # Import csv of users using usernames (***NOTE: Usernames must match folder names for this to work***)
        $list = Import-Csv C:\ResetSharePermissions\usernames.csv

        # --------------------------------------------------
        # Loop through each username in csv
        foreach ($entry in $list)
            {
                # Set new variables
                $dte = get-date -f yyyy-MM-dd_HHmm
                "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Processing user '" + $($entry.username) + "' starting at: " + $dte  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                $username = $($entry.username)
                $usershareParent = "$sharepath$($entry.username)"
                $cmdSetUserFullPerms = "icacls " + '"' + $usershareParent + '"' + " /grant " + '"' + $username + '"' + ":F"
                $usershareParent = '"' + $usershareParent + '"'
                $usershareSubfolder1 = "$sharepath$($entry.username)\*.*"
                $usershareSubfolder1 = '"' + $usershareSubfolder1 + '"'
                $usershareSubfolder2 = "$sharepath$($entry.username)\*"
                $usershareSubfolder2 = '"' + $usershareSubfolder2 + '"'
                "sharepath $sharepath"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "username $username"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "usershareparent $usershareparent" >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "usersharesubfolder1 $usersharesubfolder1" >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "usersharesubfolder2 $usersharesubfolder2" >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                # Add '> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Set Administrators as owner for parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & 'C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe' /file $usershareParent /setowner=Administrators  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Set Administrators as owner on subfolders"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & 'C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe' /subdirectories $usershareSubfolder1 /setowner=Administrators  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Remove inheritance on all subfolders"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & icacls $usershareSubfolder2 /inheritance:r /T  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Remove inheritance on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & icacls $usershareParent /inheritance:r /T  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Grant Administrators Full permissions on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & icacls $usershareParent /grant Administrators:F /t /c /Q  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Grant SYSTEM Full permissions on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & icacls $usershareParent /grant SYSTEM:F /t /c /Q  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Grant " + $username + " Full permissions on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "COMMMAND:  " + $cmdSetUserFullPerms >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                &$cmdSetUserFullPerms  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                #& icacls "z:\test1" /grant test1:F /t /c /Q >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Set inheritance on all subfolders"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                & icacls $usershareSubfolder2 /inheritance:e /T  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                "****Processing Complete for user " + $username + " ending at " + $dte  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                #> 
                #End of user processing loop
            }
    # **END PROCESSING**
    }
"*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
"****SHARE PERMISSIONS SCRIPT COMPLETED"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
#Rename log file
cd c:\ResetSharePermissions
rename-item ResetSharePermissions.log -newname ("ResetSharePermissions_" + $dte + ".log")

I can run: icacls “z:\test1” /grant test1:F /t /c /Q and it works just fine but the icacls line with /inheritance runs fine in the script.

This is what I get as an error:

The term ‘icacls “z:\test1” /grant “test1”:F’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check th
e spelling of the name, or if a path was included, verify that the path is correct and try again.
At \chartwellfile\View_UserData\administrator\desktop\ResetSharePermissions.ps1:100 char:18

  •             & <&1
    
    • CategoryInfo : ObjectNotFound: (icacls “z:\test1” /grant “test1”:F:String) , CommandNotFoundException
    • FullyQualifiedErrorId : CommandNotFoundException

Thank you,
Dan

you get quoting error somewhere. it’s a common problem with external commands

I suggest you rework external command execution to this way.
(May be need some quote fixing)

$arguments = $usershareParent, “/grant”, "$username:F "

arguments array

and use it as
& icacls $arguments

and, please, use boolean $true instead of string ‘yes’ :slight_smile:

$subinaclExists = $true
$usernamesExists = $true
if ($subinaclExists -and $usernamesExists) { … }

also, you can instead of (or with) messagebox use error thowing. and then you do not need this variables at all

if (…) {
throw ‘error’
}
do-something