Powershell NTFS right

j-seb · 2016-08-22T17:37:57.000Z

Hi guys,

i’ve been looking at this for the whole day not knowing what I’m doing wrong.

I’ll start by saying the goal is to create a personal home folder for users.
I don’t want the folder to inherit right.

The command works but permissions are weird.
The ntfs are blank but once i open advanced permission i see them.
But it doesnt work.

Here’s the script:

New-item \\server\Users$\jeaeli -type directory
$acl = Get-Acl \\server\Users$\jeaeli
$acl | Format-List
$acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
$acl.SetAccessRuleProtection($true, $false)
$acl1 = New-Object System.Security.AccessControl.FileSystemAccessRule "domain\jeaeli","Modify", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow"
$acl2 = New-Object System.Security.AccessControl.FileSystemAccessRule "domain\ITBEXC","FullControl", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow"
$acl3 = New-Object System.Security.AccessControl.FileSystemAccessRule "domain admins","FullControl", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow"
$acl.addAccessRule($acl1)
$acl.addAccessRule($acl2)
$acl.addAccessRule($acl3)
Set-Acl \\server\Users$\jeaeli $acl

I also don’t want module to add.
Any help is appreciated

Neally · 2016-08-22T17:39:59.000Z

Hello, when you post code, please use the ‘insert code’ button. Please and thank you!

martin9700 · 2016-08-22T17:47:50.000Z

This is what I’ve used in the past:

$NTDomain = "yourdomain"
$HomePath = "\\server\users"
$UserName = "youruser"

#Create Home Drive
Write-Host "Creating Home Drive..."
#Create the folder
New-Item -Name $UserName -ItemType Directory -Path $HomePath | Out-Null
#Set the drive on the user account
Set-ADUser $UserName -HomeDirectory "$HomePath\$UserName" -HomeDrive U:
#Get the ACL
$ACL = Get-Acl "$HomePath\$UserName"
#Turn off inheritance
$ACL.SetAccessRuleProtection($true, $false)
#Remove the old ACL's
$ACL.Access | ForEach { [Void]$ACL.RemoveAccessRule($_) }
#Add Domain Admins as Full Control, copy this line if you need more groups to have this level
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("$NTDomain\Domain Admins","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))
#Grant the user modify permissions
$ACL.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("$NTDomain\$UserName","Modify", "ContainerInherit, ObjectInherit", "None", "Allow")))
#Save the ACL back
Set-Acl "$HomePath\$UserName" $ACL

Edited to add comments.

zuphzuph · 2016-08-22T17:50:44.000Z

Neally:

Hello, when you post code, please use the ‘insert code’ button. Please and thank you!

It’s a pet peeve of his. ¯_(ツ)_/¯

@alexw

martin9700 · 2016-08-22T17:52:05.000Z

zuphzuph:

Neally:

Hello, when you post code, please use the ‘insert code’ button. Please and thank you!

It’s a pet peeve of his. ¯_(ツ)_/¯

And one we encourage. It’s even in the PLEASE READ BEFORE POSTING sticky

Neally · 2016-08-22T17:55:26.000Z

zuphzuph:

Neally:

Hello, when you post code, please use the ‘insert code’ button. Please and thank you!

It’s a pet peeve of his. ¯_(ツ)_/¯

Martin9700:

zuphzuph:

Neally:

Hello, when you post code, please use the ‘insert code’ button. Please and thank you!

It’s a pet peeve of his. ¯_(ツ)_/¯

And one we encourage. It’s even in the PLEASE READ BEFORE POSTING sticky

He’s just teasing :¬P ¯_(ツ)_/¯

j-seb · 2016-08-22T17:55:54.000Z

I haven’t been here for a while. I’m really sorry

martin9700 · 2016-08-22T17:57:01.000Z

J-Seb:

I haven’t been here for a while. I’m really sorry

No worries J-Seb, we just want to help.

j-seb · 2016-08-22T18:02:02.000Z

Hey Martin,

It’s pretty much the same i have except that we don’t set the home folder that way, this is not my choice.
I’m not sure if my pic was posted with it but here’s what i get from running it.

ntfs.jpg1297×648 122 KB

martin9700 · 2016-08-22T18:08:46.000Z

Well, I’m not seeing an apples to apples comparison here, so I can’t really say what the problem is. In the picture you have the basic page highlighted on Domain Admins, but the permissions you show are for your user (you). The permissions for that seemed OK to me, so I’m not sure what the problem is.

j-seb · 2016-08-23T10:03:07.000Z

if you look on the left side under allow there is no check mark.
I included another one that will clarify the problem.

ntfs2.jpg1152×648 85.1 KB

gungnir · 2016-08-23T10:19:56.000Z

Martin9700:

Well, I’m not seeing an apples to apples comparison here, so I can’t really say what the problem is. In the picture you have the basic page highlighted on Domain Admins, but the permissions you show are for your user (you). The permissions for that seemed OK to me, so I’m not sure what the problem is.

The problem he seems to be having is that under the basic permissions only the special permissions line has a checkbox on it.

Capture.PNG800×321 77.8 KB

As for the ‘problem’ itself, this seems to be caused by the InheritOnly flag. If you look at the advanced permission for each ACE they don’t actually have any permissions on the folder itself - they only apply to the child objects.

Untitled.png767×520 14.7 KB

This isn’t necessarily a problem - the ACL is exactly what you’re telling it to be. So long as the permissions are how you want them there’s no need to make a change. If you want the accounts to have permissions on the folder itself then you’ll have to use one of the other propagation flags.

learn.microsoft.com

PropagationFlags Enum (System.Security.AccessControl)

Specifies how Access Control Entries (ACEs) are propagated to child objects. These flags are significant only if inheritance flags are present.

j-seb · 2016-08-23T10:34:38.000Z

Thanks so much Gungnir.

There is a language barrier in my case and sometimes i do not fully understand.
That’s exactly what i was looking for. You save me some headaches for sure.

I removed the inheritonly flag and they now get the permission on the folder itself.