1

I am trying to create a PowerShell script that grants folder permissions to NETWORK SERVICE on different cultures. The main problem is that the NETWORK SERVICE, while present in all installations of Windows, has different names in different cultures, and I don't know how to handle this.

Here is the script I'm using:

$appPath = "C:\SomeFolder"

$Acl = (Get-Item $appPath).GetAccessControl('Access') 

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")

$Acl.SetAccessRule($Ar)

Set-Acl $appPath $Acl

Now this script works just fine on English versions of Windows. However, when trying to run it on a German version of Windows, I get the following error message (translated from German):

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity
references could not be translated."
At C:\Experimental Files\GrantFolderPermissions.ps1:7 char:1
+ $Acl.SetAccessRule($Ar)
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

How can I best handle this so this script will work culture independently?

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Kira Resari
  • 1,718
  • 4
  • 19
  • 50
  • 1
    Construct a [`SecurityIdentifier`](https://msdn.microsoft.com/en-us/library/214122bs(v=vs.110).aspx) using [well-known sid types](https://msdn.microsoft.com/en-us/library/system.security.principal.wellknownsidtype(v=vs.110).aspx) – Mathias R. Jessen Feb 02 '18 at 16:22

1 Answers1

1

Use the well-known SID to determine the account name:

$sid = [Security.Principal.SecurityIdentifier]'S-1-5-20'
$acct = $sid.Translate([Security.Principal.NTAccount]).Value

$ace = New-Object Security.AccessControl.FileSystemAccessRule($acct, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328