2

I am trying to change permissions on a file through Powershell, and am having trouble figuring out how to get this to work.

$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
$acl = Get-Acl $path1
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule("User","Write","ContainerInherit,ObjectInherit","None","Deny")
$acl.SetAccessRule($access_rule)
$acl | Set-Acl $path2

"User" is a specified usergroup, of many users, and is called something different in the actual code. This throws two errors:

Exception calling "SetAccessRule" with "1" argument(s): Some or all identity references could not be translated."

Set-Acl : Some or all identity references could not be translated.

Then, I try to dumb the code down, essentially trying to copy permissions of one file to another:

$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
Get-Acl -Path $path1 | Set-Acl -Path $path2

Even this throws an error:

Set-Acl : Some or all identity references could not be translated.

If I understand these errors correctly, then my "User" is not being properly defined. I try to get the "User" info by running the Get-ADUser cmdlet, but the ActiveDirectory module must not be installed, because I receive this error:

Get-ADUser : The term 'Get-AdUser' is not recognized as the name of a cmdlet,.........

My main question now, is how can I get the user SID information to properly change the permissions on the file? Am I missing a step somewhere? Is there a better way to change file permissions? Can I even try to change permissions for a group? I have hit a wall trying to find a solution, lol.

I have looked at the following sources for help:

link link link link link link link link

Community
  • 1
  • 1
medicine_man
  • 321
  • 3
  • 15
  • in the get-acl -examples text I saw this: The second command uses Set-Acl to apply the security descriptor of Dog.txt to Cat.txt. When the command completes, the ACLs of the Dog.txt and Cat.txt files are identical. Example 3: Apply a security descriptor to multiple files PS C:\>$NewAcl = Get-Acl File0.txt PS C:\>Get-ChildItem -Path "C:\temp" -Recurse -Include "*.txt" -Force | Set-Acl -AclObject $NewAcl Notice the Set-Acl -AclObject not -Path – yaquaholic Mar 22 '19 at 14:58
  • Are you referring to this [link](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-6)? When I run `Get-Acl -Path $path1 | Set-Acl -AclObject $path2`, I get an `Invalid Argument` error for `AclObject` in `Set-Acl`. – medicine_man Mar 22 '19 at 15:04
  • The problem is with the FileSystemAccessRule expecting 5 parameters , I found this post that covers it https://stackoverflow.com/questions/26543127/powershell-setting-advanced-ntfs-permissions. I am playing with it myself, to see if I can get it to work. – yaquaholic Mar 22 '19 at 15:19
  • The Get-Acl -Path $path1 | Set-Acl -Path $path2 works fine for me, but you are right the $acl.SetAccessRule($access_rule) seems to throw that error everytime, despite the New-Object Security.AccessControl.FileSystemAccessRule working perfectly. – yaquaholic Mar 22 '19 at 15:30
  • Yes, I can get the access rule, and see what its contents are: `$access_rule | fl` – medicine_man Mar 22 '19 at 15:33
  • `Get-Acl -Path $path1 | Set-Acl -Path $path2` still throws an error, lol. – medicine_man Mar 22 '19 at 15:33
  • My experiences with `Set-ACL` are bad. Many times I get strange errors. Instead of Set-ACL I always call the member function `SetAccessControl` from the DirectoryInfo object. For instance: `$ACL=Get-ACL $path1;(Get-Item $path2).SetAccessControl($ACL)` Hope this helps – Gert Jan Kraaijeveld Mar 22 '19 at 16:41
  • @GertJanKraaijeveld, the code snippet you gave me did not throw an error, but the permissions did not change. – medicine_man Mar 22 '19 at 18:54

0 Answers0