Microsoft Virtualization Discussions

multiple permissions for same trustee - how to realize with powershell

Tim_Stiller
3,355 Views

Hi all,

 

i got a question from a customer which i'd like to discuss here:

 

$tmpSDID  = "sd01"
$tmpPolID = "pol01"

# AAAAA # create new SD with temp-ID $sd = New-NcFileDirectorySecurityNtfs -SecurityDescriptor $tmpSDID
# remove default entries from SD-DACL # defaults are for Creator/Owner ; nt auth/SYSTEM, builtin\administratros und bziltin\users all with full-control Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $tmpSDID | Remove-NcFileDirectorySecurityNtfsDacl # BBBBBB # add permissions to DACL of the SD $ace1 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files $ace2 = Add-NcFileDirectorySecurityNtfsDacl -Account $g2 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files $ace3 = Add-NcFileDirectorySecurityNtfsDacl -Account $g3 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files # CCCCCCCCC # create policy task $poltsk = Add-NcFileDirectorySecurityPolicyTask -Name $tmpPolID -SecurityType ntfs -NtfsSecurityDescriptor $tmpSDID -Path $Path # apply policy task $r = Set-NcFileDirectorySecurity -Name $tmpPolID # Cleanup of policy task and descriptors, wait 5 seconds to let the netapp digest... Start-Sleep -Seconds 5 Remove-NcFileDirectorySecurityPolicy -Name $tmpPolID Remove-NcFileDirectorySecurityNtfs -Name $tmpSDID

Everything is fine till here. But the customer asks how to assign multiple permissions to the same trustee, which should work as follows:

 $ace1 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights read               -ApplyTo   this_folder
$ace2 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo sub_folders, files

But according to the customer this throws an error because of duplicate entries.

 

In a pure Windows Powershell-Environment the customer would handle like this:

$ACL = Get-Acl $Path
# Regel 1 : overwrite existing permissions of $Trustee with new ones
$ar = New-Object system.security.accesscontrol.filesystemaccessrule($Trustee,$Permission,$inhCIOI,$propNone,"Allow")
$ACL.SetAccessRule($ar)

# Regel2: add additional permissions to $Trustee
$ar = New-Object system.security.accesscontrol.filesystemaccessrule($Trustee,$anderePermission,$inhCIOI,$andereProp,"Allow")
$ACL.AddAccessRule($ar)                Set-Acl -Path $Path  -AclObject $ACL

 

How can we achieve the same with our Powershell SDK?

 

any input is appreciated!

 

thanks

Tim

3 REPLIES 3

GidonMarcus
3,266 Views

Tim_Stiller
3,260 Views

what is the way to get this fixed? Create a case although PSTK is only under community-support?

GidonMarcus
3,253 Views

i'm afraid i don't know - i'm myself a customer.  i expect that if it's a reproducible issue it will qualify to a case and a burt. hence i also provided the links to help "building" the case.

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Public