Microsoft Virtualization Discussions

PoSH options to set NTFS permissions


I'm cross-posting this note in both the NetApp PowerShell Toolkit (MS Cloud and Svr Virt) and the Workflow Automation communities as the audience I'm looking for probably spans both.

Many NetApp CIFS users create single Volume/CIFS-share combos (or a qtree within) and then control access to portions of it by setting  NTFS folder/file permissions on the qtree or folders with the share. I'm trying to advise customers the options available for doing this in an automated fashion. Options I'm aware of include:

  • DOT 7-mode fsecurity command (automated via the DataONTAPPS Toolkit using Invoke-NaSsh and NaFile cmdlets
  • Get-ACL/Set-ACL cmdlets built into PowerShell (or at least they are on my system 🙂

Since I believe the fsecurity command is 7-mode only, I'm leaning towards recommending Get-ACL & Set-ACL since I presume these would work in both a 7-mode and cDOT environment. The idea would use NetApp PS Toolkit cmdlets to create a volume and share, then the PoSH code would map to the newly created share (\\filer\share), then create folder(s) within it and apply permissions to the folder using Get/Set-ACL cmdlets.

However, reading this article ...

... there is this statement: "... Additionally, the .NET Framework doesn't provide classes that represent the permissions in every type of Windows resource. For example, while the .NET Framework provides classes that let you manipulate file security, it doesn't provide classes that let you work with the security on shared folders. ...

Q1: I'm a little fuzzy on MS CIFS terminology, but is this saying how I envisioned using Get/Set-ACL above would NOT work ... because the mapped folder is being accessed via the CIFS sharing protocol?

Q2: I also see mention of the Dsacls.exe, Cacls.exe, and Xcacls.exe CLI commands. Can anyone comment as to if this 'would' or wouldn't work against a folder/file being access in a CIFS share?

Q3: I have working examples of WFA commands that use the fsecurity command but they are 7-mode mode only. Another question is if/how would NetApp recommend doing similar functions in a cDOT environment?

Q4: Lastly ... Is anyone aware of PoSH or WFA cmds that automate NTFS folder/file permission setting using techniques other than that fsecurity command ... or is that the only way?