Use Set-SecurityDescriptor from Module PowerShellAccessControl to set SDDL

Hi,
with the code below I can set the acls of an directory with an sddl string:

$theSddl = "O:S-1-5-21-......-......-.......-1000G:S-1-5-21-.....-.......-........-
   513D:AI(A;CI;0x1200a9;;;NU)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)
   (A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY(A;OICIID;0x1200a9;;;BU
   (A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)"

$SD = New-AdaptedSecurityDescriptor -Sddl $theSddl -Path $thePath -AccessMaskEnumeration ([PowerShellAccessControl.WmiNamespaceRights]) 
Set-SecurityDescriptor -SDObject $SD -Path $thePath -Force

but the problem is the rights are not set correctly as they were at the source folder.
The network user has special rights after setting the sddl instead of the only right to execute the folder.

Module: PowerShellAccessControl

With the this method

    
$aclObj = Get-Acl $thePath
$aclObj.SetSecurityDescriptorSddlForm($theSddl);
Set-Acl -Path $thePath -AclObject $aclObj

it works correctly, but this is not compatible with path name lengths longer than 260.

The problem is that New-AdaptedSecurityDescriptor is creating a security descriptor for an object that can’t contain children, i.e., a file. That means that the flags that are contained for all of the ACEs in the SDDL string are ignored, and each ACE is set to apply only to the object.

In this case, the NETWORK account ACE is the only one that’s explicitly set, so it’s the only one being applied to the destination folder, so it’s the only one that appears to be incorrect. The underlying SD has all of the ACEs with incorrect flags, though.

To fix it, you need to create a SD for a container. To do that, use the -IsContainer flag when calling New-AdaptedSecurityDescriptor:

$SD = New-AdaptedSecurityDescriptor -Sddl $theSddl -IsContainer
Set-SecurityDescriptor -SDObject $SD -Path $thePath -Force

Thank you very much for your detailed answer, it works!