4

I get an error with my Powershell script where I am trying to give a folder "Total Control". I can give Total Control to a Domain/Users account, but I can't seem to get it to work for a ComputerName\Users account. This is important to allow other software being installed to work on various computers in our organization (they all have a ComputerName\Users account in the Security tab). I want to give Total Control to [ComputerName\Users] account.

Screenprint below shows DomainUsers/Account my script could create, and below it the ComputerName\Account I can't reference in any way to give Total Control -- In this example, "Users(OHAIBMG00B7KP\Users)", triggers an error.

Security Tab Screenprint

This script works to create Account and Total Control permissions for a folder

$directory = "C:\Program Files (x86)\CAREWare"
$domainName = "DHS"
$group = 'Domain Users'
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$acl = (Get-Item $directory).GetAccessControl("Access")
$user = "{0}\{1}" -f "$domainName", $group
$user.trim()
$access = "FullControl"
$accessType = "Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @("$user","$access", "$inherit", "$propagation", "$accessType")
$acl.SetAccessRule($accessRule)
set-acl $directory $acl

This is the error when I try to change the three lines below to reference ComputerName\Users.

$directory = "C:\Program Files (x86)\CAREWare"
$domainName = $env:computername
$group = 'Users'

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At line:1 char:1
+ $acl.SetAccessRule($accessRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

I can't seem to get PowerShell to find and return anything about the ComputerName\Users group, but it is there in the Security Tab of the Folder Properties.

JustJohn
  • 1,362
  • 2
  • 22
  • 44

3 Answers3

7

Whe searching for the error message Some or all identity references could not be translated similar questions have been asked here, here and here where the answers were that you have to use the SID instead of COMPUTER\Users when creating the FileSystemAccessRule. The SID can be retrieved via GetPrinicpalBySamAccountName.

Community
  • 1
  • 1
Ronald Rink 'd-fens'
  • 1,289
  • 1
  • 10
  • 27
  • Ok, your "here, here, and here" looks like good stuff for me to study. Might be the solution. But at this time I am also realizing that I don't want to create a new group or user, just give permissions to an existing one. So I deleted and undeleted this post because I noticed an answer (yours) was coming in. Since you really have helped to answer my posted question, I am accepting this answer and using it to study more on the subject. thank you very much – JustJohn Mar 10 '17 at 20:13
  • I did notice that all your solutions are for .NET code. . . . In the title of my question I specify PowerShell – JustJohn Mar 11 '17 at 00:17
  • 1
    @JustJohn both PowerShell and C# run on .NET, so you can use the same calls in both programming languages. So when you see a `C#` example calling `new System.Security.AccessControl.FileSystemAccessRule()` you can use the same in Powershell by issuing `New-Object System.Security.AccessControl.FileSystemAccessRule` (or [`System.Security.AccessControl.FileSystemAccessRule]::new()` when using PoSH 5+). – Ronald Rink 'd-fens' Mar 11 '17 at 08:46
2

I know this is a really old thread but the solutions is removing the inheritance and propagation from your access rule for files.

For Folders:

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Identity, $rights, $inheritance, $propagation, $accessControl)

For Files:

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Identity, $rights, $accessControl)

Matthew Sisson
  • 21
  • 1
0

Per my tests, you must use "BUILTIN\Users" instead of "computerName\Users".

Example below works for me:

$nvsFolder = "C:\ProgramData\folder"
$Acl = Get-Acl $nvsFolder
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Users", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $nvsFolder $Acl
D. Dubya
  • 189
  • 1
  • 12