I am working on a script to create A.D. groups and assign permissions to network shares. Group creation works just fine, and most of the time setting the ACLs works. But every once in a while it will set the ACL on the final directory but not on one of the parents. The methodology would be something like this:
function _setNTFS { Param ( [String]$sDir, [String]$sGroup, [String]$sPerm, [Bool]$inherit ) $ACL = Get-Acl -Path $sDir if ($inherit -eq $true) { $newACL = $sGroup, $sPerm, "ContainerInherit,ObjectInherit", "None", "Allow" } else { $newACL = $sGroup, $sPerm, "Allow" } $newRule = New-Object System.Security.AccessControl.FileSystemAccessRule $newACL $ACL.AddAccessRule($newRule) try { $ACL | Set-Acl $sDir -ErrorAction Stop " Successfully Added $($sGroup) to directory $($sDir) with $($sPerm) permissions" | Out-File $sLogFile -Append } catch { " $($Error[0].ToString()) + $($Error[0].InvocationInfo.PositionMessage)" | Out-File $sLogFile -Append " RECOVERABLE ERROR = Failed to add $($sGroup) to directory $($sDir) with error above, please add manually" | Out-File $sLogFile -Append } }
I have a $Path variable which is the full path (e.g. P:\ACC\Collections\EDI\820\Variance Reports\UAT10).
I create an $aPath variable which is $Path split on "".
There is already a group that sets Read and Execute at root folders of P (ACC), so I would begin applying permissions at Collections. I have a For loop that begins at $aPath[2] (Collections) and loops through all folders except the last, setting Read and Execute:
for ($a = 2; $a -lt ($aPath.Count -1); $a++) { $sStartDir += "\$($aPath[$a])" " Attempting to set Permissions at $($sStartDir)" | Out-File $sLogFile -Append _setNTFS -sDir $sStartDir -sGroup $groupName -sPerm "ReadAndExecute" -inherit $false }
I then have a single call to set either RO or Modify on the final directory (UAT10):
if ($bPerm -eq "M") { _setNTFS -sDir $inpPath.Text -sGroup $groupName -sPerm "Modify" -inherit $true } else { _setNTFS -sDir $inpPath.Text -sGroup $groupName -sPerm "ReadAndExecute" -inherit $true }
As I said, 90% of the time this works. However, the times it does not, my try/catch statement in the function will not capture the error:
try { $ACL | Set-Acl $sDir -ErrorAction Stop " Successfully Added $($sGroup) to directory $($sDir) with $($sPerm) permissions" | Out-File $sLogFile -Append } catch { " $($Error[0].ToString()) + $($Error[0].InvocationInfo.PositionMessage)" | Out-File $sLogFile -Append " RECOVERABLE ERROR = Failed to add $($sGroup) to directory $($sDir) with error above, please add manually" | Out-File $sLogFile -Append }
Succeed or fail, it outputs that it successfully created. I am not sure if I should do something more specific on my catch block, or if there is something else I am missing. For some reason, if it is going to fail, it will do so on the first folder it tries (Collections). It always works on the final folder, and always works on the upstream folders up to that first one. Hoping I am missing something stupid simple.