topic Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir in Active IQ Unified Manager Discussions

Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

ChadPruden — Mon, 16 Jan 2017 19:09:10 GMT

I'm looking for help on creating some powershell code that retrieves the current DACLs of a volume (or directory path) and stores it as a security descriptor. I had come across this page on the web (http://www.craig-tolley.co.uk/2016/02/09/assigning-permissions-to-a-volume-through-the-netapp-powershell-toolkit/) and it guided me through applying new permissions using the OnTap Powershell toolkit - however I cannot devise a way to modify the code so that an ACE can be removed or added to the ACL (Security Descriptor).

I presume it's some combination of Get-NcFileDirectorySecurity and (New-NcFileDirectorySecurityNtfs or Add-NcFileDirectorySecurityNtfsDacl). I've investigated all of the *NcFileDirectorySecurity* cmdlets, and only Get-NCFileDirectorySecurity appears to retrieve currently applied permissions, but it cannot be pipe'd into another cmdlet 😞

My larger objective is to build a WFA command that allows a user to add/remove an AD Group from their volume. I've found the Powershell toolkit to be much quicker and straightforward than using (Get-Acl / Set-Acl)

connect-NcController $ClusterName

$volName = "vol_test_3"
$Vserver = "svm-lab-a"

Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver | New-NcFileDirectorySecurityNtfs -SecurityDescriptor $VolName #this part doesn't work! First cmdlet returns ACLs, but doesn't store it within SecurityDescriptor.

Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $volName -Vserver $vserver #my output is {Administrators,Users,CREATOR OWNER, SYSTEM}. I'm hoping to capture the DACLs of "/$VolName" - such as displayed by (Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver).acls

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

abhit — Tue, 07 Mar 2017 04:01:01 GMT

Could you resolve this issue?

If not, do let us know.

Regards
Abhi

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

ChadPruden — Tue, 07 Mar 2017 13:48:08 GMT

I have not found a solution to this.

My objective is to 'modify' existing NTFS directory ACLs using the Ontap Powershell module. The alternative is to use cacls.exe /T /E /G user:perm or cacls.exe /T /E /R user:perm - however that is much slower and prone to problems if the executing AD user doesn't have FULL_CONTROL.

I was not able to get the Powershell module commands to read existing DACLs into a security descriptor. I will eventually be putting these commands into a WFA workflow.

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

ChadPruden — Thu, 22 Feb 2018 21:40:19 GMT

I'm looking for the equivilent of

vserver security file-directory show

That would create a SecurityDescriptor from inputted directory path

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

asulliva — Thu, 22 Feb 2018 21:44:19 GMT

Hello @ChadPruden,

You'll want to use the Get-NcFileDirectorySecurity cmdlet.

Hope that helps.

Andrew

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

ChadPruden — Thu, 22 Feb 2018 21:55:13 GMT

Any tips on getting that into a SecurityDescriptor object that I could then modify and re-apply to the directory ACEs? It appears the output is just TEXT and I'd have to parse it extensively.

??                                     #Create Security Descriptor from the active ACEs
Add-NcFileDirectorySecurityNTFSDacl    #Modify Security Descriptor 
Set-NcFileDirectorySecurity            #Apply modified permissions

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

sysir — Tue, 20 Apr 2021 08:03:34 GMT

Did you ever find a solution for this using the powershell module?

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

Kgarello — Mon, 21 Apr 2025 15:48:57 GMT

There has been no response to this query in 4 years. Does this mean it is not possible with powershell?

My general question is ... Can you use powershell to add a permission to an existing set of permission for a folder? If so, does anyone have an example? 9.15.1P3

Re: Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

Kgarello — Wed, 23 Apr 2025 14:14:12 GMT

I was able to work this out with the API:

/api/protocols/file-security/permissions/$($SVMUuid)/$($path)/acl