0
votes

I'm creating a script to automate a process and i'm running into issues setting permissions on a network share. Please have a look at the code below.

$Employee = Get-ADUser -Identity test_Person  | Select-Object -ExpandProperty SamAccountName

$Manager = Get-ADUser -Identity test_Person  | Select-Object -ExpandProperty Manager

$Drive = "\\Sharename\directory\"

$ACL = Get-Acl "$Drive\$($Employee)"

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Manager, "FullControl", "containerInherit,ObjectInherit", "None", "Allow")

$ACL.SetAccessRule($Ar)

Set-Acl "$Drive\$($Employee)" $ACL

Here are the errors. Any help is greatly appreciated

New-Object : Exception calling ".ctor" with "5" argument(s): "Value cannot be null. Parameter name: identity" At line:5 char:7 + $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Exception calling "SetAccessRule" with "1" argument(s): "Value cannot be null. Parameter name: rule" At line:6 char:1 + $ACL.SetAccessRule($Ar) + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ArgumentNullException

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation. At line:7 char:1 + Set-Acl "$LDrive\$($Employee)" $ACL + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (\Drive\Directory\Test_Person:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

1
This may not be the entirety of your issues, but $Manager is empty because Get-ADUser does not return the Manager property by default. You have to include it with -Property Manager. Second, the manager property returns the DN of the manager object. I do not know if FileSystemAccessRule() accepts a DN or if it needs to be the SamAccountName or SID.AdminOfThings

1 Answers

0
votes

You must change how you are handling the returned manager data. You must look up the SamAccountName or SecurityIdentitifer value for the manager object before passing it into FileSystemAccessRule().

$Employee = Get-ADUser -Identity test_Person -Properties Manager
$Manager = Get-ADUser -Identity $Employee.Manager | Select-Object -ExpandProperty SamAccountName
$Drive = "\\Sharename\directory"
$ACL = Get-Acl "$Drive\$($Employee.SamAccountName)"

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Manager, "FullControl", "containerInherit,ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($Ar)
Set-Acl "$Drive\$($Employee.SamAccountName)" $ACL

In your attempt, $Manager is empty because Get-ADUser does not return the Manager property by default. You have to include it with -Property Manager. Second, the manager property returns the DN of the manager object. FileSystemAccessRule() accepts an IdentityReference object derived from SamAccountName or SID, which means you must perform a conversion or another lookup for the proper data format.