PowerShell for Windows Admins

Aug 6 2010   12:29PM GMT

Adding permissions

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

 

In a recent post http://itknowledgeexchange.techtarget.com/powershell/setting-permissions/ I showed how to set the permissions on a folder. Some times we just want to add permissions.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
$trustee = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee.Domain = "RSLAPTOP01"
$trustee.Name = "Test"

$fullcontrol = 2032127

$aces = @()
$ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
$ace.AccessMask = $fullcontrol
$ace.AceFlags = 19
$ace.AceType = 0
$ace.Trustee = $trustee

$sd = ([wmiclass]‘Win32_SecurityDescriptor’).psbase.CreateInstance()
$sd.ControlFlags = 4
$sd.DACL = $ace
$sd.group = $trustee
$sd.owner = $trustee

$sec = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
  -Filter "Path=’c:\\test\\test1\\special’"

$osd = $sec.GetSecurityDescriptor()

foreach ($acl in $osd.Descriptor.DACL){
    $ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
    $ace.AccessMask = $acl.AccessMask
    $ace.AceFlags = $acl.AceFlags
    $ace.AceType = $acl.AceType
    $ace.Trustee = $acl.Trustee

    $sd.DACL += $ace.psobject.baseobject
}

$sec.SetSecurityDescriptor($sd)

We start by creating a trustee – this is a user or group that we can assign permissions to. As before we define the permissions flag as full control.  This allows us to create an ACE and a Security Descriptor.

We can then get the security settings of our folder. Read the acls and create an ACE for each one.  We then add them to the security descriptor.

Final action is to replace the permissions on the folder with our new security descriptor which includes the additional permissions.

One draw back to this approach is that WMI won’t work with UNC paths.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: