Active IQ Unified Manager Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ Unified Manager Discussions

Ask a Question

Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

ChadPruden
‎2017-01-16 11:09 AM
7,550 Views

I'm looking for help on creating some powershell code that retrieves the current DACLs of a volume (or directory path) and stores it as a security descriptor.  I had come across this page on the web (http://www.craig-tolley.co.uk/2016/02/09/assigning-permissions-to-a-volume-through-the-netapp-powershell-toolkit/) and it guided me through applying new permissions using the OnTap Powershell toolkit - however I cannot devise a way to modify the code so that an ACE can be removed or added to the ACL (Security Descriptor).

 

I presume it's some combination of Get-NcFileDirectorySecurity and (New-NcFileDirectorySecurityNtfs or Add-NcFileDirectorySecurityNtfsDacl).  I've investigated all of the *NcFileDirectorySecurity* cmdlets, and only Get-NCFileDirectorySecurity appears to retrieve currently applied permissions, but it cannot be pipe'd into another cmdlet 😞

 

My larger objective is to build a WFA command that allows a user to add/remove an AD Group from their volume.   I've found the Powershell toolkit to be much quicker and straightforward than using (Get-Acl / Set-Acl)

 

 

 

 

connect-NcController $ClusterName

 

$volName = "vol_test_3"
$Vserver = "svm-lab-a"

 

Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver | New-NcFileDirectorySecurityNtfs -SecurityDescriptor $VolName     #this part doesn't work!   First cmdlet returns ACLs, but doesn't store it within SecurityDescriptor.

Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $volName -Vserver $vserver   #my output is {Administrators,Users,CREATOR OWNER, SYSTEM}.   I'm hoping to capture the DACLs of "/$VolName" - such as displayed by (Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver).acls

0 Kudos
View By:
6 REPLIES 6

abhit
NetApp
‎2017-03-06 08:01 PM
7,388 Views

Could you resolve this issue?

If not, do let us know.

 

Regards
Abhi

0 Kudos

ChadPruden
‎2017-03-07 05:48 AM
In response to abhit
7,367 Views

I have not found a solution to this.

 

My objective is to 'modify' existing NTFS directory ACLs using the Ontap Powershell module.  The alternative is to use cacls.exe /T /E /G user:perm  or cacls.exe /T /E /R user:perm - however that is much slower and prone to problems if the executing AD user doesn't have FULL_CONTROL.

 

I was not able to get the Powershell module commands to read existing DACLs into a security descriptor.  I will eventually be putting these commands into a WFA workflow.

0 Kudos

ChadPruden
‎2018-02-22 01:40 PM
In response to abhit
6,830 Views

I'm looking for the equivilent of 

 

vserver security file-directory show

That would create a SecurityDescriptor from inputted directory path

0 Kudos

asulliva
NetApp
‎2018-02-22 01:44 PM
In response to ChadPruden
6,828 Views

Hello @ChadPruden,

 

You'll want to use the Get-NcFileDirectorySecurity cmdlet.

 

Hope that helps.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
0 Kudos

ChadPruden
‎2018-02-22 01:55 PM
In response to asulliva
6,824 Views

Any tips on getting that into a SecurityDescriptor object that I could then modify and re-apply to the directory ACEs?  It appears the output is just TEXT and I'd have to parse it extensively.

 

??                                     #Create Security Descriptor from the active ACEs
Add-NcFileDirectorySecurityNTFSDacl    #Modify Security Descriptor 
Set-NcFileDirectorySecurity            #Apply modified permissions
0 Kudos

sysir
‎2021-04-20 01:03 AM
In response to ChadPruden
4,915 Views

Did you ever find a solution for this using the powershell module?

Announcements
All Community Forums
Public