Set-ACL...special Permissions

brian-clanton · February 9, 2019, 7:16pm

I have noticed that in production, when I give a user Full Control ACL permissions, it shows up as ‘Special Permissions’ from within Windows Properties (Right click folder -> Properties -> Security) as ‘Special Permissions’. ACL output does reflect Fullcontrol. Should I disregard and be confident the user(s) do in fact have Full Control?

Reproduced the issue here:

$permission = "w10-bchome\bri","FullControl", "Allow"
$Path = "c:\Utility\test"
$acl = get-acl $Path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($AccessRule)
$Acl | Set-Acl $Path

$ACL Output

Path : Microsoft.PowerShell.Core\FileSystem::C:\Utility\test Owner : W10-BCHOME\bclanton Group : W10-BCHOME\None Access : NT AUTHORITY\SYSTEM Allow FullControl W10-BCHOME\Administrator Allow FullControl W10-BCHOME\bclanton Allow FullControl W10-BCHOME\bri Allow FullControl Audit : Sddl : O:S-1-5-21-1073379331-2122356694-3448876220-1001G:S-1-5-21-1073379331-2122356694-3448876220-513D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;LA)(A;OICI;FA;;;S-1-5-21-1073379331-2122356694-3448876220-1 001)(A;;FA;;;S-1-5-21-1073379331-2122356694-3448876220-1002)

When I right click the folder, it just shows "Special Permissions".

What I want to do is give them full permissions of the folder and sub folders and files. The special permission only gives them full control of the folder.

postanote · February 9, 2019, 11:06pm

Inheritance settings are key. Remember even in that GUI, it will not populate downward, until you tell it to, which is of course a separate selection in the GUI as well.

As for this…

What I want to do is give them full permissions of the folder and sub folders and files. The special permission only gives them full control of the folder.

Consider using this module to ease this for you…

File System Security PowerShell Module 4.2.4 Allows a much easier management of permissions on files and folders using PowerShell https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

… or using the info here

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

See also:

Windows PowerShell Tip of the Week https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ff730951(v=technet.10)

So, it means you end up with having to do stuff like this sample… (but again, that module above is easier IMHO)

$user = "$env:USERDOMAIN\$env:USERNAME"
$dfsfolder = "\\servername\c$\folder"
$acl = get-acl -path $dfsfolder
$new=$user,'FullControl','ContainerInherit,ObjectInherit','None','Allow'
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new
$acl.AddAccessRule($accessRule)
$acl | Set-Acl $dfsfolder

Topic		Replies	Views
Setting folder ACL with PowerShell PowerShell Help	1	164	July 2, 2020
Setting Folder ACL PowerShell Help	24	166	June 28, 2016
List individual Access Permissions PowerShell Help	3	150	May 27, 2015
Help with Get-ACL PowerShell Help	4	131	June 3, 2016
Pull special permission entries from advanced security settings for share folders PowerShell Help	6	446	April 6, 2023

Set-ACL...special Permissions

Related Topics