Active IQ Unified Manager Discussions

Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir

ChadPruden
7,420 Views

I'm looking for help on creating some powershell code that retrieves the current DACLs of a volume (or directory path) and stores it as a security descriptor.  I had come across this page on the web (http://www.craig-tolley.co.uk/2016/02/09/assigning-permissions-to-a-volume-through-the-netapp-powershell-toolkit/) and it guided me through applying new permissions using the OnTap Powershell toolkit - however I cannot devise a way to modify the code so that an ACE can be removed or added to the ACL (Security Descriptor).

 

I presume it's some combination of Get-NcFileDirectorySecurity and (New-NcFileDirectorySecurityNtfs or Add-NcFileDirectorySecurityNtfsDacl).  I've investigated all of the *NcFileDirectorySecurity* cmdlets, and only Get-NCFileDirectorySecurity appears to retrieve currently applied permissions, but it cannot be pipe'd into another cmdlet 😞

 

My larger objective is to build a WFA command that allows a user to add/remove an AD Group from their volume.   I've found the Powershell toolkit to be much quicker and straightforward than using (Get-Acl / Set-Acl)

 

 

 

 

connect-NcController $ClusterName

 

$volName = "vol_test_3"
$Vserver = "svm-lab-a"

 

Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver | New-NcFileDirectorySecurityNtfs -SecurityDescriptor $VolName     #this part doesn't work!   First cmdlet returns ACLs, but doesn't store it within SecurityDescriptor.

Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $volName -Vserver $vserver   #my output is {Administrators,Users,CREATOR OWNER, SYSTEM}.   I'm hoping to capture the DACLs of "/$VolName" - such as displayed by (Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver).acls

6 REPLIES 6

abhit
7,258 Views

Could you resolve this issue?

If not, do let us know.

 

Regards
Abhi

ChadPruden
7,237 Views

I have not found a solution to this.

 

My objective is to 'modify' existing NTFS directory ACLs using the Ontap Powershell module.  The alternative is to use cacls.exe /T /E /G user:perm  or cacls.exe /T /E /R user:perm - however that is much slower and prone to problems if the executing AD user doesn't have FULL_CONTROL.

 

I was not able to get the Powershell module commands to read existing DACLs into a security descriptor.  I will eventually be putting these commands into a WFA workflow.

ChadPruden
6,700 Views

I'm looking for the equivilent of 

 

vserver security file-directory show 

That would create a SecurityDescriptor from inputted directory path

asulliva
6,698 Views

Hello @ChadPruden,

 

You'll want to use the Get-NcFileDirectorySecurity cmdlet.

 

Hope that helps.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

ChadPruden
6,694 Views

Any tips on getting that into a SecurityDescriptor object that I could then modify and re-apply to the directory ACEs?  It appears the output is just TEXT and I'd have to parse it extensively.

 

??                                     #Create Security Descriptor from the active ACEs
Add-NcFileDirectorySecurityNTFSDacl #Modify Security Descriptor Set-NcFileDirectorySecurity #Apply modified permissions

sysir
4,785 Views

Did you ever find a solution for this using the powershell module?

Public