multiple permissions for same trustee - how to realize with powershell

Tim_Stiller — Wed, 04 Jun 2025 13:05:33 GMT

Hi all,

i got a question from a customer which i'd like to discuss here:

$tmpSDID  = "sd01"
$tmpPolID = "pol01"

# AAAAA
# create new SD with temp-ID
$sd = New-NcFileDirectorySecurityNtfs     -SecurityDescriptor $tmpSDID

# remove default entries from SD-DACL 
# defaults are for Creator/Owner ; nt auth/SYSTEM, builtin\administratros und bziltin\users all with full-control
Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $tmpSDID | Remove-NcFileDirectorySecurityNtfsDacl

# BBBBBB
# add permissions to DACL of the SD
$ace1 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files
$ace2 = Add-NcFileDirectorySecurityNtfsDacl -Account $g2 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files
$ace3 = Add-NcFileDirectorySecurityNtfsDacl -Account $g3 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files

# CCCCCCCCC
# create policy task
$poltsk = Add-NcFileDirectorySecurityPolicyTask -Name $tmpPolID -SecurityType ntfs -NtfsSecurityDescriptor $tmpSDID -Path $Path

# apply policy task
$r = Set-NcFileDirectorySecurity -Name $tmpPolID

# Cleanup of policy task and descriptors, wait 5 seconds to let the netapp digest...
Start-Sleep -Seconds 5
Remove-NcFileDirectorySecurityPolicy -Name $tmpPolID
Remove-NcFileDirectorySecurityNtfs   -Name $tmpSDID

Everything is fine till here. But the customer asks how to assign multiple permissions to the same trustee, which should work as follows:

 $ace1 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights read               -ApplyTo   this_folder
 $ace2 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo  sub_folders, files

But according to the customer this throws an error because of duplicate entries.

In a pure Windows Powershell-Environment the customer would handle like this:

$ACL = Get-Acl $Path
# Regel 1 : overwrite existing permissions of $Trustee with new ones
$ar = New-Object system.security.accesscontrol.filesystemaccessrule($Trustee,$Permission,$inhCIOI,$propNone,"Allow")
$ACL.SetAccessRule($ar)

# Regel2: add additional permissions to $Trustee
$ar = New-Object system.security.accesscontrol.filesystemaccessrule($Trustee,$anderePermission,$inhCIOI,$andereProp,"Allow")
$ACL.AddAccessRule($ar)                Set-Acl -Path $Path  -AclObject $ACL

How can we achieve the same with our Powershell SDK?

any input is appreciated!

thanks

Tim

Re: multiple permissions for same trustee - how to realize with powershell

Tim_Stiller — Tue, 27 Nov 2018 09:56:19 GMT

what is the way to get this fixed? Create a case although PSTK is only under community-support?

Re: multiple permissions for same trustee - how to realize with powershell

GidonMarcus — Tue, 27 Nov 2018 10:06:55 GMT

i'm afraid i don't know - i'm myself a customer. i expect that if it's a reproducible issue it will qualify to a case and a burt. hence i also provided the links to help "building" the case.

topic multiple permissions for same trustee - how to realize with powershell in Microsoft Virtualization Discussions

multiple permissions for same trustee - how to realize with powershell

Re: multiple permissions for same trustee - how to realize with powershell

Re: multiple permissions for same trustee - how to realize with powershell

Re: multiple permissions for same trustee - how to realize with powershell