Page 1 of 1

Help with ACL

Posted: Wed Dec 20, 2017 8:01 am
by WSUsoftware
I have searched the forums first, but I'm still having some troubles. I am trying to simulate checking the Full Control box on the folder below for the Users group.
FolderPermissions.PNG
FolderPermissions.PNG (21.29 KiB) Viewed 3324 times
I have tried the following lines of code without success:
  1. $ACL = Get-Acl -Path 'C:\Program Files\New Folder'
  2. $newRule = New-Object System.Security.AccessControl.FileSystemAccessRule("users", "FullControl", "Allow")
  3. $ACL.AddAccessRule($newRule)
  4. Set-Acl -Path 'C:\Program Files\New Folder' -AclObject $ACL

Re: Help with ACL

Posted: Wed Dec 20, 2017 12:52 pm
by jvierra
It is getting set but it has to be viewed under "Advanced" button. To get the top one set just remove it and re-add the trustee.

Re: Help with ACL

Posted: Thu Dec 21, 2017 7:04 am
by WSUsoftware
jvierra wrote: Wed Dec 20, 2017 12:52 pm It is getting set but it has to be viewed under "Advanced" button. To get the top one set just remove it and re-add the trustee.
When I go to advanced it still does not show up with Full Control

Re: Help with ACL

Posted: Thu Dec 21, 2017 7:24 am
by jvierra
Look harder. It works correctly for me.

Re: Help with ACL

Posted: Thu Dec 21, 2017 10:53 am
by WSUsoftware
The new rule is showing up correctly but is basically having no affect because the "old" Users rules still exists. Is there a way to remove that one first? I tried but was unsuccessful. Below is what the advanced permissions look like; the highlighted rule is the one I just created.
Capture.PNG
Capture.PNG (37.85 KiB) Viewed 3227 times

Re: Help with ACL

Posted: Thu Dec 21, 2017 11:06 am
by jvierra
Rules are additive.
You should never give users full control of system managed folders.
You have chosen to use "subfolders and files" which is the default. What did you want?

Re: Help with ACL

Posted: Thu Dec 21, 2017 11:14 am
by WSUsoftware
jvierra wrote: Thu Dec 21, 2017 11:06 am Rules are additive.
You should never give users full control of system managed folders.
You have chosen to use "subfolders and files" which is the default. What did you want?
Unfortunately a piece of software we are using requires the Users group for that particular folder to have FullControl permissions to function properly.