1

Some context: I am augmenting a PowerShell script to create an AD user to execute a batch workflow and the required folders the workflow needs. The ID and network ID's of the support members (including myself) inherits all permissions from the groups that it is in, and the groups that those groups are in.

Write-Log "Setting Permissions on \\$Machine\Batch\Storage\$ASI" -LogPath $LogPath
$PathAcl = Get-Acl -path "\\$Machine\Batch\Storage\$ASI"
# Setup Inherited permissions
$PathAcl.SetAccessRuleProtection($True, $False)
$PathAcl.GetAccessRules($true, $true, [system.security.principal.ntaccount]) 

# Batch support permisions
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($($DomainJobIsToRunIn + '\L_Batch' + "$ASI" + 'Support'), 'Modify,Synchronize', "ContainerInherit, ObjectInherit", "None", "Allow")
$PathAcl.AddAccessRule($Rule)
Write-Log -Message $($DomainJobIsToRunIn + '\Batch' + "$ASI" + 'Support complete.') -LogPath $LogPath

# Commit Changes
Set-Acl -Path "\\$Machine\Batch\Storage\$ASI" -AclObject $PathAcl
Write-Log "Permissions on \\$Machine\Batch\Storage\$ASI setup complete." -LogPath $LogPath

$Machine = Windows server name
$ASI = Application Service ID (in this case, "a$c")
$DomainJobIsToRunIn = AD Domain

After creating the folders and assigning permissions, my user ID, which is in the "support" global group that is in the "support" local group is unable to access the folder. If I open the folder properties and go to Security > Advanced > Continue (attempt the operation with admin permissions) I can see the following: Advanced Security Settings for a$c

If I manually add my ID to the folder with access through the GUI, I can open the folder just fine and the Security tab shows L_Batcha$cSupport as having modify access.

Does anyone have an idea as to what I am doing wrong? I've been searching for a few days now and can't find anything that is similar so far.

Apologies if my question is formatted wrong. This is my first time posting here.

WillPanic
  • 66
  • 7
  • 1
    In case it might be helpful: [Global AD Group Properties](https://i.stack.imgur.com/eGd8M.jpg), [Global AD Group Members](https://i.stack.imgur.com/rwuDM.jpg), [Local AD Group Properties](https://i.stack.imgur.com/gKMDd.jpg), [Local AD Group Members](https://i.stack.imgur.com/RGByH.jpg), – WillPanic May 17 '17 at 16:33
  • Not sure I fully understand. You say "If I manually add my ID", but in the screenshot there are only groups. If I presume that you refer to your group ID, what exactly means "modify access as well.". Via GUI you added Modify access and it is visible as additional line in ACL list? That should be possible only if first entry is inherited, but thats not the case on your screenshot. – Igor May 17 '17 at 18:30
  • Sorry, I had to scroll down to show the group I wanted and my user ID was on the top of the list so it is hidden. If I remove the ID I get " You don't currently have permission to access this folder" when I try open in windows explorer. I meant that the Security Tab matched Security > Advanced > Permissions. I've removed the "as well" from the post to reduce confusion – WillPanic May 17 '17 at 18:39
  • Can you try to see if it is not elevation issue? Run PowerShell in elevated console (Run as administrator) and try `Get-ChildItem "\\$Machine\Batch\Storage\$ASI"` or even better `Get-Acl "\\$Machine\Batch\Storage\$ASI".` Explorer can be tricky if this is the case. – Igor May 17 '17 at 18:57
  • I am able to run `Get-Acl "\\$Machine\Batch\Storage\$ASI"` from an elevated PowerShell console. I can't run it from an unelevated PS console though. For what it is worth, `Get-Acl "\\$Machine\Batch\Storage"` (one level up the directory tree) works just fine from an unelevated PowerShell console. – WillPanic May 17 '17 at 20:29
  • Ok, I have no idea what could have changed but I went to work some more on this and I can now access the folders just fine using the permissions from the group(s). – WillPanic May 18 '17 at 19:47

0 Answers0