In need to get the ACL object and replace an Access.IdentityReference.Value
and keep the rest of the object intact so I can apply the Set-Acl
to another system.
$acl = Get-Acl -Path "C:\Temp"
$h = New-Object -TypeName PSObject
ForEach-Object -InputObject $acl -Process {
if ($_.Access.IdentityReference.Value -contains "BUILTIN\Users") {
"found"
$h += @($_.Access.IdentityReference.Value.Replace("BUILTIN\Users", "new\name"))
} else {
$h += @($_)
}
}
$h.Access
I have so many ways to do this and the best I have been able to get is finding and replacing the target value but losing the rest of the original object.
Edit: when I try this code:
$acl = Get-Acl -Path 'C:\Temp'
$ace = $acl.Access | Where-Object { $_.IdentityReference -eq 'BUILTIN\Users' }
$newAce = New-Object System.Security.AccessControl.FileSystemAccessRule (
'new\name',
$ace.FileSystemRights,
$ace.InheritanceFlags,
$ace.PropagationFlags,
$ace.AccessControlType
)
$acl.RemoveAccessRule($ace)
$acl.AddAccessRule($newAce)
Set-Acl -Path 'C:\Temp' -AclObject $acl
I'm getting the following error:
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated." At line:12 char:1 + $acl.AddAccessRule($newAce) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : IdentityNotMappedException
Edit2: New script, but not quite there yet:
$Ssid = "S-1-5-21-2214593661-3374179426-1523454523-1133"
$Tsid = "S-1-5-21-2227185791-3254421074-497073356-1005"
$Spath = "\\clw01\dept\CLW_Site"
$Tpath = "\\clw03\dept\CLW_Site"
$acl = Get-Acl -Path $Spath
$ace = $acl.Access | Where-Object { $_.IdentityReference -eq $Ssid }
$newAce = New-Object System.Security.AccessControl.FileSystemAccessRule (
$Tsid,
$ace.FileSystemRights,
$ace.InheritanceFlags,
$ace.PropagationFlags,
$ace.AccessControlType
)
$acl.RemoveAccessRule($ace)
$acl.AddAccessRule($newAce)
Set-Acl -Path $Tpath -AclObject $acl
I'm getting the following error:
Exception calling "AddAccessRule" with "1" argument(s): "The trust relationship between the primary domain and the trusted domain failed." At line:9 char:1 + $acl.AddAccessRule($newAce) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : SystemException
new\name
actually resolvable on the computer? Isnew
a different host? A trusted domain? External or in the same forest? – Ansgar WiechersInvoke-Command
. – Ansgar Wiechers