Disable inheritance and manually apply permissions when creating a folder in Powershell

powershell inheritance
25,301

Solution 1

Use the SetAccessRuleProtection() method to exclude the ACL from inheriting rules:

$acl.SetAccessRuleProtection($true,$false)

The second argument (preserveInheritance) also removes existing inherited rules when set to false, leaving just the system default ACE's.

If you have problems applying the inheritance protection, make sure you update the ACL with the ownership information before setting access rule protection:

$acl = Get-Acl "\\srv\path"
# SetOwner
$acl.SetOwner([System.Security.Principal.NTAccount] $env:USERNAME)
# Write updated ownership info back
Set-Acl $FolderPath $acl | Out-Null
# SetAccessRuleProtection
$acl.SetAccessRuleProtection($True, $False)
# Write updated ACL back
Set-Acl $FolderPath $acl | Out-Null

Solution 2

The error about 'SeSecurityPrivilege' is a bug with Set-Acl for file system objects. I'd recommend against using Set-Acl for files and folders, and instead use the SetAccessControl() method that's available for file and folder objects. You could modify your code to look like this:

$FolderPath = "\\srv\path"
New-Item -ItemType directory -Path $FolderPath
$acl = Get-Acl $FolderPath
$acl.SetAccessRuleProtection($True, $False)
$acl.Access | % { $acl.RemoveAccessRule($_) } # I remove all security
# Not needed:
# $acl.SetOwner([System.Security.Principal.NTAccount] $env:USERNAME) # I set the current user as owner
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('myadminaccount', 'FullControl', 'Allow') # I set my admin account as also having access
$acl.AddAccessRule($rule)
(Get-Item $FolderPath).SetAccessControl($acl)

One more thing: you might want to change your $rule to something like the following if it's going to apply to a folder:

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    'myadminaccount',
    'FullControl',
    'ObjectInherit, ContainerInherit',
    'None',
    'Allow'
)
Share:
25,301
riahc3
Author by

riahc3

Programmer that hates programming

Updated on July 09, 2022

Comments

  • riahc3
    riahc3 almost 2 years

    Im trying to make a new folder in Powershell but I do not want it to inherit any NTFS security permissions and manually add 2 users: The creator and my own admin account.

    I have this:

        $FolderPath = "\\srv\path"
New-Item -ItemType directory -Path $FolderPath
$acl = Get-Acl "\\srv\path"
$acl.SetAccessRuleProtection($True, $False)
$acl.Access | %{$acl.RemoveAccessRule($_)} # I remove all security
$acl.SetOwner([System.Security.Principal.NTAccount] $env:USERNAME) # I set the current user as owner
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('myadminaccount','FullControl','Allow') # I set my admin account as also having access
$acl.AddAccessRule($rule)
Set-Acl $FolderPath $acl | Out-Null

    It does not work and it sill inherits the parent's security permissions.

    I changed it to the comment below but it does not allow the user to set ACLs for a folder HE created. Over the root folder (path), he has change permissions privileges...

    This is the access error recieved

    enter image description here

    What permissions should he have over the folder he just created with the code above? The owner should be able to modify it freely.

    Added the full control share permission for the user and now I get that the process does not have "SeSecurityPrivilege". This happens when I add the $acl.SetAccessRuleProtection($True, $False) line

    How can I get this to work?

  • riahc3
    riahc3 almost 9 years
    It does not allow the user to remove ACL. The user has "Change permissions" over the folder.
  • Mathias R. Jessen
    Mathias R. Jessen almost 9 years
    I'm pretty sure those are unrelated. SetAccessRuleProtection($true,$false) does what is documented: Removes inherited ACEs and protects against inheriting future parent ACEs
  • riahc3
    riahc3 almost 9 years
    I just added a screenshot to make sure if it is related or not.
  • Mathias R. Jessen
    Mathias R. Jessen almost 9 years
    @riahc3 Make sure you (the executing user) has Full Control permissions on the Share as well
  • riahc3
    riahc3 almost 9 years
    He has all the permissions except that one; Full Control. Does he really need Full Controll?
  • Mathias R. Jessen
    Mathias R. Jessen almost 9 years
    @riahc3 I'm not talking about the NTFS permission, but the share permissions
  • riahc3
    riahc3 almost 9 years
    OK, gotcha. Added the Full Control share permission and now I do have another error....Looking at it as I speak.
  • riahc3
    riahc3 almost 9 years
    Now I am getting that the process does not have "SeSecurityPrivilege". This happens when I add the $acl.SetAccessRuleProtection($True, $False) line
  • Mathias R. Jessen
    Mathias R. Jessen almost 9 years
    That's because the user isn't a member of the Administrators group on the target server. TBH you should probably ask a new/separate question for this
  • riahc3
    riahc3 almost 9 years
    No, he isnt but he shouldnt be either in order to write the that specific folder. Should I change order the code in my script for it to work?
  • Mathias R. Jessen
    Mathias R. Jessen almost 9 years
    @riahc3 Yes, apply the ownership first, then call SetAccessRuleProtection subsequently, that might work
  • riahc3
    riahc3 almost 9 years
    Changing the order did it I believe. I would love to mark your answer as correct but it doesn't have the complete answer. I did upload your comment.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Explain for beginners the ACL object property "SetAccessRuleProtection" in PowerShell with examples
How can I inherit static methods in dart/flutter?
How to give child class property a different type from the superclass in Dart?
Can't pass in a subtype of an abstract class as argument into a function
Flutter: inheritance, what i need know and how, an implemented method in parent that i need to use it in child and add more implementation on it
Flutter update causing error "Flutter requires PowerShell 5.0 or newer" irrecoverable
Json unexpected character 
Flutter Extending HashMap
How do you perform inheritance with abstract classes in dart? error : superclass SpanishData doesn't have a zero argument constructor
Dart: checking if an object implements interface