I'm creating a script to automate a process and i'm running into issues setting permissions on a network share. Please have a look at the code below.
$Employee = Get-ADUser -Identity test_Person | Select-Object -ExpandProperty SamAccountName
$Manager = Get-ADUser -Identity test_Person | Select-Object -ExpandProperty Manager
$Drive = "\\Sharename\directory\"
$ACL = Get-Acl "$Drive\$($Employee)"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Manager, "FullControl", "containerInherit,ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($Ar)
Set-Acl "$Drive\$($Employee)" $ACL
Here are the errors. Any help is greatly appreciated
New-Object : Exception calling ".ctor" with "5" argument(s): "Value cannot be null. Parameter name: identity" At line:5 char:7 + $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
Exception calling "SetAccessRule" with "1" argument(s): "Value cannot be null. Parameter name: rule" At line:6 char:1 + $ACL.SetAccessRule($Ar) + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ArgumentNullException
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation. At line:7 char:1 + Set-Acl "$LDrive\$($Employee)" $ACL + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (\Drive\Directory\Test_Person:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand
$Manager
is empty becauseGet-ADUser
does not return the Manager property by default. You have to include it with-Property Manager
. Second, the manager property returns the DN of the manager object. I do not know ifFileSystemAccessRule()
accepts a DN or if it needs to be the SamAccountName or SID. – AdminOfThings