Subscribe

Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

I'm looking for help on creating some powershell code that retrieves the current DACLs of a volume (or directory path) and stores it as a security descriptor.  I had come across this page on the web (http://www.craig-tolley.co.uk/2016/02/09/assigning-permissions-to-a-volume-through-the-netapp-powershell-toolkit/) and it guided me through applying new permissions using the OnTap Powershell toolkit - however I cannot devise a way to modify the code so that an ACE can be removed or added to the ACL (Security Descriptor).

 

I presume it's some combination of Get-NcFileDirectorySecurity and (New-NcFileDirectorySecurityNtfs or Add-NcFileDirectorySecurityNtfsDacl).  I've investigated all of the *NcFileDirectorySecurity* cmdlets, and only Get-NCFileDirectorySecurity appears to retrieve currently applied permissions, but it cannot be pipe'd into another cmdlet :-(

 

My larger objective is to build a WFA command that allows a user to add/remove an AD Group from their volume.   I've found the Powershell toolkit to be much quicker and straightforward than using (Get-Acl / Set-Acl)

 

 

 

 

connect-NcController $ClusterName

 

$volName = "vol_test_3"
$Vserver = "svm-lab-a"

 

Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver | New-NcFileDirectorySecurityNtfs -SecurityDescriptor $VolName     #this part doesn't work!   First cmdlet returns ACLs, but doesn't store it within SecurityDescriptor.

Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $volName -Vserver $vserver   #my output is {Administrators,Users,CREATOR OWNER, SYSTEM}.   I'm hoping to capture the DACLs of "/$VolName" - such as displayed by (Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver).acls

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

Could you resolve this issue?

If not, do let us know.

 

Regards
Abhi

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

I have not found a solution to this.

 

My objective is to 'modify' existing NTFS directory ACLs using the Ontap Powershell module.  The alternative is to use cacls.exe /T /E /G user:perm  or cacls.exe /T /E /R user:perm - however that is much slower and prone to problems if the executing AD user doesn't have FULL_CONTROL.

 

I was not able to get the Powershell module commands to read existing DACLs into a security descriptor.  I will eventually be putting these commands into a WFA workflow.