Set-Acl not working as expected with PowerShell v5

0
votes

long time listener, first time caller ???? I am trying with little success to set ther permisions of a folder using PowerShell. I started by following the instructions identified on this page. https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/ I have also read as many of the posts I can find on Stackoverflow, but I don’t appear to be getting the same issue that others are getting. So to start off, here is the code I am using

$myPath = 'C:\inetpub\website'
# get actual Acl entry
$myAcl = Get-Acl "$myPath"
$myAclEntry = "NT AUTHORITY\NETWORK SERVICE","FullControl","Allow"
$myAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($myAclEntry)
# prepare new Acl
$myAcl.SetAccessRule($myAccessRule)
$myAcl | Set-Acl "$MyPath"
# check if added entry present
Get-Acl "$myPath" | fl

The result is that the user is added to the folder as you can see below, but none of the actual permissions is set. screenshot of folder permissions

It appears that it may actually be trying to set special permissions, but this is hard to prove because the special permissions options is not available.

The Get-Acl "$myPath" | fl yields the following result

Path   : Microsoft.PowerShell.Core\FileSystem::C:\inetpub\website
Owner  : BUILTIN\Administrators
Group  : DESKTOP-UKROSU8\None
Access : NT AUTHORITY\NETWORK SERVICE Allow  FullControl
         NT SERVICE\TrustedInstaller Allow  FullControl
         NT SERVICE\TrustedInstaller Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  268435456
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  -1610612736
         CREATOR OWNER Allow  268435456
Audit  : 
Sddl   : O:BAG:S-1-5-21-3999251487-2837792945-2014217647-513D:AI(A;;FA;;;NS)(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIOID;GA;;;S-1-5-80-956008885-3418
         522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;OICIIOID;GA;;;CO)

Please note, I am doing this on a Virtual Windows 10 machine for testing purposes, so those of you who feel the need to tell me I am taking a risk posting the output of Get-Acl, I think the risk is minimal in this case.

I have read that this issue may be caused by the “NT AUTHORITY” domain option being truncated, and that it might be of values to lookup the user first. But I am yet to work out how to do that in PowerShell. Any tips would be greatly appreciated.

1
powershell

1 Answers

0
votes

As far as I know the permission is set. I never had any problem with that and I did it a lot. It set special permission (you can scroll down in your screenshot to see that the checkbox is checked).

If you click in your screenshot on advance you will see that he has full control on that directory. And in your get-acl you also see that he has full control on this directory.

In Windows I would not trust the GUI too much. If PowerShell get-acl says he has full control, he should have full control.

Here as an example I did the same with Guest / Gast (it's in German but shouldn't matter that much)

Permission overview

  1. The Image on the left is the same you showed us. Guest has no Permission except for special permission set.

  2. If you click advance (Erweitert) you see the picture on the top right. As you see Guest has here FullControl (Vollzugriff).

  3. If we click on Edit (Bearbeiten) you see the image on the bottom right. As you see here is every checkbox checked like it is intended.

I'm not sure why the First window is not updated or rather only special permission is set but in my experience windows the first windows should not be trusted that much the 2nd has more detail and information and also more option to configure.

To your quetion: It works what you are doing but you can't see it in the first window. Why? Not sure but that's Windows... I would trust the get-acl command and the 2nd window.