search

raandree / NTFSSecurity

Managing permissions with PowerShell is only a bit easier than in VBS or the command line as there are no cmdlets for most day-to-day tasks like getting a permission report or adding permission to an item. PowerShell only offers Get-Acl and Set-Acl but everything in between getting and setting the ACL is missing. This module closes the gap.
MIT License
431 stars 61 forks source link

Add-NTFSAccess behaves differently for UNC Path vs Absolute Path #67

Open anujpotnis opened 4 years ago

anujpotnis commented 4 years ago

When I run Add-NTFSAccess with an UNC Path, it removes all the previous users and adds only the user for which I added permissions. When I run with Absolute Path, it adds to the previous users.

# Define variables
  $rootFolderPath = 'C:\'
  $folder = 'SomeFolder'

# Share folder using SMB
  $fullFolderPath = $rootFolderPath + $folder
  New-SmbShare -Name $folder -Path $fullFolderPath -FullAccess 'Everyone'

# Set NTFS Permissions
  # UNC Path
  $fullFolderPath = '\\' + $env:COMPUTERNAME + '\' + $folder
  # Absolute Path
  # $fullFolderPath = $rootFolderPath + $folder

  $group = $env:USERDOMAIN + '\' + 'someGroup'

  $X1 = @{
    Path         = $fullFolderPath
    Account      = $group
    AccessRights = 'FullControl'
    AccessType   = 'Allow'
    AppliesTo    = 'ThisFolderSubfoldersAndFiles'
  }
  Add-NTFSAccess @X
raandree commented 4 years ago

Unfortunately, I cannot reproduce the behavior. When cleaning the ACL on a local and remote folder and adding 3 ACEs, it looks as expected:

$d1 = mkdir -Path \\dscdo01\Artifacts\Test -Force
$d2 = mkdir -Path D:\Test -Force

$d1 | Clear-NTFSAccess -DisableInheritance
$d2 | Clear-NTFSAccess -DisableInheritance

$d1 | Add-NTFSAccess -Account randr -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d1 | Add-NTFSAccess -Account Test1 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d1 | Add-NTFSAccess -Account Test2 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

$d2 | Add-NTFSAccess -Account randr -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d2 | Add-NTFSAccess -Account Test1 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d2 | Add-NTFSAccess -Account Test2 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

$d1 | Get-NTFSAccess
$d2 | Get-NTFSAccess

The output of Get-NTFSAccess is ths:

    Path: \\dscdo01\Artifacts\Test (Inheritance disabled)

Account                             Access Rights                   Applies to                Type                            IsInherited                     InheritedFrom                  
-------                             -------------                   ----------                ----                            -----------                     -------------                  
RAANDREE2\randr                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test1                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test2                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          

    Path: D:\Test (Inheritance disabled)

Account                             Access Rights                   Applies to                Type                            IsInherited                     InheritedFrom                  
-------                             -------------                   ----------                ----                            -----------                     -------------                  
RAANDREE2\randr                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test1                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test2                     FullControl                     ThisFolderSubfoldersAn... Allow                           False

Can you provide some more details about what is going wrong?

anujpotnis commented 4 years ago

Maybe the reason you are unable to reproduce is because you clear the ACL. Can you please try your example without the statements: $d1 | Clear-NTFSAccess -DisableInheritance $d2 | Clear-NTFSAccess -DisableInheritance

Or you can try this (after replacing the Account):

mkdir -Path C:\TestAbs -Force
New-SmbShare -Name TestAbs -Path C:\TestAbs -FullAccess 'Everyone'

$AbsPathACL = @{
    Path         = 'C:\TestAbs'
    Account      = 'sspAdmin1'
    AccessRights = 'FullControl'
    AccessType   = 'Allow'
    AppliesTo    = 'ThisFolderSubfoldersAndFiles'
  }
  Add-NTFSAccess @AbsPathACL
  Get-NTFSAccess

mkdir -Path C:\TestUNC -Force
New-SmbShare -Name TestUNC -Path C:\TestUNC -FullAccess 'Everyone'

$UNCPathACL = @{
    Path         = '\\DC1\TestUNC'
    Account      = 'sspAdmin1'
    AccessRights = 'FullControl'
    AccessType   = 'Allow'
    AppliesTo    = 'ThisFolderSubfoldersAndFiles'
  }
  Add-NTFSAccess @UNCPathACL

Get-NTFSAccess -Path 'C:\TestAbs'
Get-NTFSAccess -Path '\\DC1\TestUNC'

And the output for the Get-NTFSAccess respectively

 PS C:\> Get-NTFSAccess -Path 'C:\TestAbs'

    Path: C:\TestAbs (Inheritance enabled)

Account                             Access Rights                             Applies to                Type                                      IsInherited                               InheritedFrom                            
-------                             -------------                             ----------                ----                                      -----------                               -------------                            
SSPIPE\sspAdmin1                    FullControl                               ThisFolderSubfoldersAn... Allow                                     False                                                                              
NT AUTHORITY\SYSTEM                 FullControl                               ThisFolderSubfoldersAn... Allow                                     True                                      C:                                       
BUILTIN\Administrators              FullControl                               ThisFolderSubfoldersAn... Allow                                     True                                      C:                                       
BUILTIN\Users                       ReadAndExecute, Synchronize               ThisFolderSubfoldersAn... Allow                                     True                                      C:                                       
BUILTIN\Users                       CreateDirectories                         ThisFolderAndSubfolders   Allow                                     True                                      C:                                       
BUILTIN\Users                       CreateFiles                               ThisFolderAndSubfolders   Allow                                     True                                      C:                                       
CREATOR OWNER                       GenericAll                                SubfoldersAndFilesOnly    Allow                                     True                                      C:

and

 PS C:\> Get-NTFSAccess -Path '\\DC1\TestUNC'

    Path: \\DC1\TestUNC (Inheritance enabled)

Account                             Access Rights                             Applies to                Type                                      IsInherited                               InheritedFrom                            
-------                             -------------                             ----------                ----                                      -----------                               -------------                            
SSPIPE\sspAdmin1                    FullControl                               ThisFolderSubfoldersAn... Allow                                     False