How to grant directory permissions in a Powershell script

1
votes

I click the right mouse button on my site in the IIS manager and choose 'Edit permissions' and then I click the security tab. There I have the user IUSR with the following permissions: Read & execute, List folder contents, Read. I can also verify this in Powershell using the command Get-Acl <path> |fl , which displays:

Access : NT AUTHORITY\IUSR Allow ReadAndExecute, Synchronize

Now I delete the ACL entry for IUSR completely. I want to set it with a Powershell script, using the following lines:

$path=<path to directory>
$acl = Get-Acl "$path"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\IUSR","ReadAndExecute","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl "$path"

Again verifying with Get-Acl <path> |fl , I shows exactly the same information, as expected. But in the IIS manager, the previously checked rights are not set. Instead 'Special permissions' is checked. When I click on 'Advanced' and pick IUSR from the list, it shows the same permissions have been granted: Read & execute, List folder contents, Read

But my website does not work (the browser throws error: HTTP-Errror 401.3 - Unauthorized). It works only if I grant these permissions in the permissions windows manually. How can I set the required permissions correctly in a Powershell script?

1
powershell
I don't have something I can test with at the moment. But, I'd take a closer look at the rights as returned by Get-ACL so you are sure you are setting them correctly. Take a look at the MS Doc on FileSystemAccessRule. If I find something to test with today, I'll see if I can figure it out. - Steven
My guess is that you need to also specify the Inheritance and Propagation flags for the accessrule, so child objects of the folder inherit the permission. Try $AccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\IUSR","ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") - Theo
@Theo Agree. Similar to what I was saying, was thinking he could get a better idea of the existing rights then play with the access rule until he has a true match. Does your example already take that into account? - Steven
@Steven @ Theo Your answers gave my a valuable hint and now I am able to identify the difference between my initial manual settings and my script approach. The setting from the script apply to 'This folder only' whereas they must be applied to 'This folder, subfolders and files'. Now I only need to find out how to set this with PowerShell. - jamacoe
@steven Your answer was just what I needed. I only had to insert "ContainerInherit,ObjectInherit", "None" after "ReadAndExecute" in my code and that solved the problem. Make it an answer and I'll mark it. Thanks - jamacoe

1 Answers

2
votes

Turning my comment into an answer, this sounds like you need to also specify theĀ Inheritance and Propagation flags for the accessrule, so child objects of the folder inherit the permission.

$AccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\IUSR", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")