long time listener, first time caller ???? I am trying with little success to set ther permisions of a folder using PowerShell. I started by following the instructions identified on this page. https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/ I have also read as many of the posts I can find on Stackoverflow, but I don’t appear to be getting the same issue that others are getting. So to start off, here is the code I am using
$myPath = 'C:\inetpub\website'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "NT AUTHORITY\NETWORK SERVICE","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl
The result is that the user is added to the folder as you can see below, but none of the actual permissions is set. screenshot of folder permissions
It appears that it may actually be trying to set special permissions, but this is hard to prove because the special permissions options is not available.
The Get-Acl "$myPath" | fl yields the following result
Path : Microsoft.PowerShell.Core\FileSystem::C:\inetpub\website
Owner : BUILTIN\Administrators
Group : DESKTOP-UKROSU8\None
Access : NT AUTHORITY\NETWORK SERVICE Allow FullControl
NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
Audit :
Sddl : O:BAG:S-1-5-21-3999251487-2837792945-2014217647-513D:AI(A;;FA;;;NS)(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIOID;GA;;;S-1-5-80-956008885-3418
522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;OICIIOID;GA;;;CO)
Please note, I am doing this on a Virtual Windows 10 machine for testing purposes, so those of you who feel the need to tell me I am taking a risk posting the output of Get-Acl, I think the risk is minimal in this case.
I have read that this issue may be caused by the “NT AUTHORITY” domain option being truncated, and that it might be of values to lookup the user first. But I am yet to work out how to do that in PowerShell. Any tips would be greatly appreciated.