Powershell ACL AddAccessRule

Question

i am currently trying to set permissions using PowerShell.

This is my code:

    $Rights = [System.Security.AccessControl.FileSystemRights] "DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize"
    $Access=[System.Security.AccessControl.AccessControlType]::Allow
    $Inherit=[System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $Prop=[System.Security.AccessControl.PropagationFlags]::None

    $DirPath = "\\CENSOREDDIR" + $ComboBox1.SelectedItem + "\" + $TextBox1.Text
    Write-Host $DirPath
    New-Item $DirPath -ItemType Directory

    $GroupPath = $GruppenHT[$ComboBox1.SelectedItem]
    $GroupPathFull = "RES-" + $GroupPath + "-L-C"
    Write-Host "Group:"$GroupPathFull

    $AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $GroupPathFull,$Rights,$Inherit,$Prop,$Access
    Write-Host "AccessRule:"$AccessRule

    $ACL = Get-ACL $DirPath
    Write-Host "DIR:"$DirPath


    $ACL.AddAccessRule($AccessRule)
    Write-Host "Permissions:"$ACL.Access

This is what the Output for debugging looks like:

Group: RES-CENSOREDGROUP-L-C <-- CORRECT

AccessRule: System.Security.AccessControl.FileSystemAccessRule

DIR: \\CENSOREDDIR\test <-- CORRECT

Permissions: System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule S
ystem.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security
.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule 

But nothing happens at all. No error is displayed, but the permission is not on the directory.

I also find it a bit strange that the variables are no longer available after the execution of the script. This is actually always the case in PowerShell ISE?

Is it because the whole thing is in a "Button_Click" event?

Maybe someone knows what to do.

Answer 1

You are only changing the object $ACL. You must apply it to $DirPath with Set-Acl:

Set-Acl $DirPath $ACL

Answer 2

#Blob soft delete #Blob soft delete is not yet supported when hierarchical namespace is enabled #Enable-AzStorageDeleteRetentionPolicy -RetentionDays $RetentionDaysForBlobs -Context $ctx

#>

<#

#double encryption #https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=powershell

#creating a storage account with encryption using customer managed key is possible with below points #1. can be enabled only on existing storage accounts #2. customer managed keys relies on MI, so MI automatically gets created to storage account with having permissions like get, wrap key, unwrap key on keyvault URI. #3. moving storage accounts to different AD directory, the managed identity doesnt move and results in no access of key vault URI #https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#enable-customer-managed-keys-for-a-storage-account

#Encrytpion scope for blob storage #https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-overview

#specify an encryption scope when you create a blob or container #https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal#create-an-encryption-scope

#Configure encryption with customer-managed keys stored in Azure Key Vault #https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=powershell

#Configuring the encryption for auto updating the key versions in #https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=powershell#configure-encryption-for-automatic-updating-of-key-versions

#>

#Creating a managed identity for storage account #To enable this feature the permissions for adding managed identity on storage account needed