https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/PoSH-options-to-set-NTFS-permissions/m-p/14123#M719 <HTML><HEAD></HEAD><BODY><P style="font-size: 14px; font-family: Arial;">I'm cross-posting this note in both the <STRONG>NetApp PowerShell Toolkit</STRONG> (MS Cloud and Svr Virt) and the <STRONG>Workflow Automation </STRONG>communities as the audience I'm looking for probably spans both.</P><P></P><P style="font-size: 14px; font-family: Arial;">Many NetApp CIFS users create single Volume/CIFS-share combos (or a qtree within) and then control access to portions of it by setting&nbsp; NTFS folder/file permissions on the qtree or folders with the share. I'm trying to advise customers the options available for doing this in an automated fashion. Options I'm aware of include:</P><UL><LI>DOT 7-mode <STRONG>fsecurity</STRONG> command (automated via the DataONTAPPS Toolkit using Invoke-NaSsh and NaFile cmdlets</LI><LI>Get-ACL/Set-ACL cmdlets built into PowerShell (or at least they are on my system <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></LI></UL><P></P><P style="font-size: 14px; font-family: Arial;">Since I believe the <STRONG>fsecurity</STRONG> command is 7-mode only, I'm leaning towards recommending Get-ACL &amp; Set-ACL since I presume these would work in both a 7-mode and cDOT environment. The idea would use NetApp PS Toolkit cmdlets to create a volume and share, then the PoSH code would <STRONG>map</STRONG> to the newly created share (<STRONG>\\filer\share</STRONG>), then create <STRONG>folder</STRONG>(s) within it and apply permissions to the <STRONG>folder</STRONG> using Get/Set-ACL cmdlets.</P><P></P><P style="font-size: 14px; font-family: Arial;">However, reading this article ...</P><P style="font-size: 14px; font-family: Arial; color: #2889c5;"><SPAN style="color: #575757;">&nbsp;&nbsp; <A href="http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx" target="_blank"><SPAN style="color: #2889c5;">http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx</SPAN></A></SPAN></P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;"><SPAN style="color: #575757;">... there is this statement: "... </SPAN><SPAN style="font-family: Verdana;">Additionally, the .NET Framework doesn't provide classes that represent the permissions in every type of Windows resource. </SPAN>For example, while the .NET Framework provides classes that let you manipulate file security, it doesn't provide classes that let you work with the security on <STRONG>shared folders. ...</STRONG>"&nbsp; </P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q1: I'm a little fuzzy on MS CIFS terminology, but is this saying how I envisioned using Get/Set-ACL above would NOT work ... because the mapped folder is being accessed via the CIFS sharing protocol?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q2: I also see mention of the Dsacls.exe, Cacls.exe, and Xcacls.exe CLI commands. Can anyone comment as to if this 'would' or wouldn't work against a folder/file being access in a CIFS share?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q3: I have working examples of WFA commands that use the <STRONG>fsecurity</STRONG> command but they are 7-mode mode only. Another question is if/how would NetApp recommend doing similar functions in a cDOT environment?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q4: Lastly ... Is anyone aware of PoSH or WFA cmds that automate NTFS folder/file permission setting using techniques other than that f<STRONG>security</STRONG> command ... or is that the only way?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Dave,</P></BODY></HTML> Thu, 05 Jun 2025 05:32:31 GMT korns 2025-06-05T05:32:31Z https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/PoSH-options-to-set-NTFS-permissions/m-p/14123#M719 <HTML><HEAD></HEAD><BODY><P style="font-size: 14px; font-family: Arial;">I'm cross-posting this note in both the <STRONG>NetApp PowerShell Toolkit</STRONG> (MS Cloud and Svr Virt) and the <STRONG>Workflow Automation </STRONG>communities as the audience I'm looking for probably spans both.</P><P></P><P style="font-size: 14px; font-family: Arial;">Many NetApp CIFS users create single Volume/CIFS-share combos (or a qtree within) and then control access to portions of it by setting&nbsp; NTFS folder/file permissions on the qtree or folders with the share. I'm trying to advise customers the options available for doing this in an automated fashion. Options I'm aware of include:</P><UL><LI>DOT 7-mode <STRONG>fsecurity</STRONG> command (automated via the DataONTAPPS Toolkit using Invoke-NaSsh and NaFile cmdlets</LI><LI>Get-ACL/Set-ACL cmdlets built into PowerShell (or at least they are on my system <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></LI></UL><P></P><P style="font-size: 14px; font-family: Arial;">Since I believe the <STRONG>fsecurity</STRONG> command is 7-mode only, I'm leaning towards recommending Get-ACL &amp; Set-ACL since I presume these would work in both a 7-mode and cDOT environment. The idea would use NetApp PS Toolkit cmdlets to create a volume and share, then the PoSH code would <STRONG>map</STRONG> to the newly created share (<STRONG>\\filer\share</STRONG>), then create <STRONG>folder</STRONG>(s) within it and apply permissions to the <STRONG>folder</STRONG> using Get/Set-ACL cmdlets.</P><P></P><P style="font-size: 14px; font-family: Arial;">However, reading this article ...</P><P style="font-size: 14px; font-family: Arial; color: #2889c5;"><SPAN style="color: #575757;">&nbsp;&nbsp; <A href="http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx" target="_blank"><SPAN style="color: #2889c5;">http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx</SPAN></A></SPAN></P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;"><SPAN style="color: #575757;">... there is this statement: "... </SPAN><SPAN style="font-family: Verdana;">Additionally, the .NET Framework doesn't provide classes that represent the permissions in every type of Windows resource. </SPAN>For example, while the .NET Framework provides classes that let you manipulate file security, it doesn't provide classes that let you work with the security on <STRONG>shared folders. ...</STRONG>"&nbsp; </P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q1: I'm a little fuzzy on MS CIFS terminology, but is this saying how I envisioned using Get/Set-ACL above would NOT work ... because the mapped folder is being accessed via the CIFS sharing protocol?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q2: I also see mention of the Dsacls.exe, Cacls.exe, and Xcacls.exe CLI commands. Can anyone comment as to if this 'would' or wouldn't work against a folder/file being access in a CIFS share?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q3: I have working examples of WFA commands that use the <STRONG>fsecurity</STRONG> command but they are 7-mode mode only. Another question is if/how would NetApp recommend doing similar functions in a cDOT environment?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Q4: Lastly ... Is anyone aware of PoSH or WFA cmds that automate NTFS folder/file permission setting using techniques other than that f<STRONG>security</STRONG> command ... or is that the only way?</P><P></P><P style="font-size: 14px; font-family: Arial; color: #323333;">Dave,</P></BODY></HTML> Thu, 05 Jun 2025 05:32:31 GMT https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/PoSH-options-to-set-NTFS-permissions/m-p/14123#M719 korns 2025-06-05T05:32:31Z