The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

Ontap PowerShell Toolkit: How to create a security descriptor from the DACLs of an existing dir


I'm looking for help on creating some powershell code that retrieves the current DACLs of a volume (or directory path) and stores it as a security descriptor.  I had come across this page on the web ( and it guided me through applying new permissions using the OnTap Powershell toolkit - however I cannot devise a way to modify the code so that an ACE can be removed or added to the ACL (Security Descriptor).


I presume it's some combination of Get-NcFileDirectorySecurity and (New-NcFileDirectorySecurityNtfs or Add-NcFileDirectorySecurityNtfsDacl).  I've investigated all of the *NcFileDirectorySecurity* cmdlets, and only Get-NCFileDirectorySecurity appears to retrieve currently applied permissions, but it cannot be pipe'd into another cmdlet 😞


My larger objective is to build a WFA command that allows a user to add/remove an AD Group from their volume.   I've found the Powershell toolkit to be much quicker and straightforward than using (Get-Acl / Set-Acl)





connect-NcController $ClusterName


$volName = "vol_test_3"
$Vserver = "svm-lab-a"


Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver | New-NcFileDirectorySecurityNtfs -SecurityDescriptor $VolName     #this part doesn't work!   First cmdlet returns ACLs, but doesn't store it within SecurityDescriptor.

Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $volName -Vserver $vserver   #my output is {Administrators,Users,CREATOR OWNER, SYSTEM}.   I'm hoping to capture the DACLs of "/$VolName" - such as displayed by (Get-NcFileDirectorySecurity -Path "/$volName" -VserverContext $Vserver).acls



Could you resolve this issue?

If not, do let us know.




I'm looking for the equivilent of 


vserver security file-directory show 

That would create a SecurityDescriptor from inputted directory path


Hello @ChadPruden,


You'll want to use the Get-NcFileDirectorySecurity cmdlet.


Hope that helps.



If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.


Any tips on getting that into a SecurityDescriptor object that I could then modify and re-apply to the directory ACEs?  It appears the output is just TEXT and I'd have to parse it extensively.


??                                     #Create Security Descriptor from the active ACEs
Add-NcFileDirectorySecurityNTFSDacl #Modify Security Descriptor Set-NcFileDirectorySecurity #Apply modified permissions


Did you ever find a solution for this using the powershell module?


I have not found a solution to this.


My objective is to 'modify' existing NTFS directory ACLs using the Ontap Powershell module.  The alternative is to use cacls.exe /T /E /G user:perm  or cacls.exe /T /E /R user:perm - however that is much slower and prone to problems if the executing AD user doesn't have FULL_CONTROL.


I was not able to get the Powershell module commands to read existing DACLs into a security descriptor.  I will eventually be putting these commands into a WFA workflow.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner