Updating ACL on Root Drive

by nancyhidywilson at 2013-02-21 15:14:44

I need to make sure that the Builtin\Users group has List Folder (ReadData) access to the root drive (this folder only).
I had previously created a function that we use to grant RX or Full Control to various subfolders using ICACLS and
figured I could just do the same thing with more restrictive rights for this purpose.
So, essentially this is what I have done:

$folderPath = "E:"
$grpname = "BUILTIN\USERS"
$acl = get-acl $folderPath
$acl_string = $acl.AccessToString
Write-Host "Before: $acl_string"
$icacls_parm = ""$folderPath" /grant "" + $grpname + ":(NP)(NP)(RD)" `/c"
Write-Host "Executing: icacls $icacls_parm"
$x = icacls $icacls_parm
$icacls_result = $LASTEXITCODE
Write-Host $x
Write-Host $icacls_result
$acl = get-acl $folderPath
$acl_string = $acl.AccessToString
Write-Host "After: $acl_string"

This runs fine when I execute it in a PowerShell command window. However, when I put it into a script, it appears to work and not work at the same time. That is, the result returned from icacls says that it applied to 1 file and succeeded, but then the updated acl does not display that the new permission. And, you can’t see it via Windows Explorer properties either.

If I change the $folderPath from E: to E:\Apps, then this script works fine. It only seems to be a problem setting these perms on a root folder. I’ve also converted this to use Set-ACL and I have a similar problem - the after will display the change, but then I can’t see it from within any other scope (i.e. another admin prompt or Windows Explorer). This is very puzzling. I’ve searched multiple forums and haven’t seen this same issue reported anywhere. Is there some other setting that I’m overlooking because this is a root folder that is causing this behaviour?

Thanks in advance for any ideas!
Nancy
by mjolinor at 2013-02-21 15:48:02
Any chance root folder permissions are being set / enforced by Group Policy?
by nancyhidywilson at 2013-02-21 16:14:59
I don’t think so, because I can change them via Windows Explorer and by running the command (icacls or set-acl cmdlet) from the powershell command window. I just can’t seem to get it to work from within a powershell script.