2

have a messed up folder with inconsistent ACLs which I need to uniform. I hoped to accomplish this with powershell. So I'm trying to search for all files missing the required group and applying the rights threough Set-Acl:

Get-Acl | where {$_.accesstostring -notlike "*domain\required_grp*"} | Set-Acl $dir $acl

Unlike icacls, Set-Acl requires you to be the owner of the file to be able to modify the ACL. That's why:

$dir= Get-Acl .\reference_file
$acl= $ACL.SetOwner([System.Security.Principal.NTAccount]$my_account)

Well, when running the command I get the following error:

Set-Acl : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input. At line:1 char:95

I'm pretty sure the problem is with the format of the output piped to Set-Acl, but can't figure out what. Thanks for any input, much appreciated.

Luka

shkdd
  • 125
  • 1
  • 9
  • Hi guys, so I've went on researching this. The technet Set-Acl page says: _The input type is the type of the objects that you can pipe to the cmdlet. System.Security.AccessControl.ObjectSecurity, System.Security.AccessControl.CommonSecurityDescriptor You can pipe an ACL object or a security descriptor to Set-Acl._ So I've tried: `select System.Security.AccessControl.ObjectSecurity` before piping to Set-Acl, still the same error.. :( – shkdd Apr 01 '14 at 08:12
  • Another (old) thread on Technet didn't managed to find any answer to the same question. I'm beggining to loose hope... [link](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/54e21871-ab9d-48f7-8176-5bb7a6d1ada6/why-does-getacl-return-values-not-useable-in-setacl?forum=ITCG) – shkdd Apr 01 '14 at 09:11
  • I'm trying to put together an answer for this, but I can't see where your folder list is coming from. Can you post the full script? – john Apr 01 '14 at 11:24
  • Hi john, unfortunately I cannot run scripts, should get them signed by higher level admins, so I'm trying to pipe it all out. Basically I run the command from the interested folder, getting all the files with `Get-Acl .\*`, selecting only those which lack the required security group, and then trying to pipe them further to Set-Acl. Thanks a lot for the interest. – shkdd Apr 01 '14 at 11:31

1 Answers1

0

I believe you are confusing the PowerShell, because you send an array of ACLs down the pipeline, but don't iterate over each of them. Also, the Set-ACL CMDlet expects a path sent down the pipeline, it think.

$acl= Get-Acl .\reference_file
$acl= $ACL.SetOwner([System.Security.Principal.NTAccount]$my_account)
Get-ChildItem | ? { (Get-ACL $_).accesstostring -notlike "*domain\groupname*"} | % { Set-ACL $_.Fullname $acl }

This works for me. It gets every file or folder, checks if it's ACL matches your expression, and sets the ACL if required.

john
  • 1,995
  • 2
  • 17
  • 30
  • What I did: I took your code as written, adding only the $my_account variable `$my_account=domain\user` and the error I got is `Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.` – shkdd Apr 01 '14 at 13:43
  • Then I've tried a slightly different approach: all same except the statement `$ACL.SetOwner([System.Security.Principal.NTAccount]'domain\user')`. This gave me a different error: `Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.` This is weird cause the account with which I'm performing the operation is the owner of the files involved. Please let me test this at home so I can confirm it's working, then I can mark it as answered. – shkdd Apr 01 '14 at 13:48
  • Yep, can confirm it's working perfectly in the test environment. So I must blame it on the lack of permissions in the production one, though it's not very clear why, as I can apply the same with single commands. Anyway thanks a lot for your time much appreciated. – shkdd Apr 01 '14 at 16:44