Restore permissions does not seem to work

[DiHo78]

Hi Raimund,

I try to backup and restore NTFS permission but it seems that it does not work properly.
I took your example:
#to backup permissions just pipe what Get-NTFSAccess returns to Export-Csv
dir | Get-NTFSAccess -ExcludeInherited | Export-Csv permissions.csv

#to retore the permissions pipe the imported data to Get-NTFSAccess
#As the imported data also contains the path you do not need to specify the item
Import-Csv .\permissions.csv | Get-NTFSAccess

1st, I have created a backup but modified the dir command a bit:
dir -Recurse -directory | Get-NTFSAccess -ExcludeInherited | Export-CSV ....

The csv looks fine.
Now the following: I have removed a user group "G-Whatever" from a folder and ran the "resttore command"
The thing is: the removed group does not appear, it is still missing.
I have no clue why this is happening.
Since I have to adjust a few more NTFS rights it would be great if I can restore the oridinal NTFS rights if something goes wrong.

Or different idea: getting a backup, copy the csv, edit the copy and adjust the information there to set new permissions afterwards (this was Jan-Hendriks idea).

Regards
Dirk

[jcardel]

Hi, If I need to save/restore rights, it is better to save as xml, with export/import-clixml. Actually doing that, you do not really need NTFSSecurity module. Example: To save them: Get-item \\uni.au.dk\alt\ST_LaheyFortranLicens | get-acl | Export-Clixml .\output\ST_LaheyFortranLicens.xml To add them: Import-Clixml .\output\ST_LaheyFortranLicens.xml | Set-Acl -Path <path> I know it does not solve your current problem with csv, but this is neater ;) Med venlig hilsen / Best regards Johan Cardel Storage admin Fra: Dirk Hondong [mailto:[email protected]] Sendt: 16. november 2017 12:40 Til: raandree/NTFSSecurity <[email protected]> Cc: Subscribed <[email protected]> Emne: [raandree/NTFSSecurity] Restore permissions does not seem to work (#25) Hi Raimund, I try to backup and restore NTFS permission but it seems that it does not work properly. I took your example: #to backup permissions just pipe what Get-NTFSAccess returns to Export-Csv dir | Get-NTFSAccess -ExcludeInherited | Export-Csv permissions.csv #to retore the permissions pipe the imported data to Get-NTFSAccess #As the imported data also contains the path you do not need to specify the item Import-Csv .\permissions.csv | Get-NTFSAccess 1st, I have created a backup but modified the dir command a bit: dir -Recurse -directory | Get-NTFSAccess -ExcludeInherited | Export-CSV .... The csv looks fine. Now the following: I have removed a user group "G-Whatever" from a folder and ran the "resttore command" The thing is: the removed group does not appear, it is still missing. I have no clue why this is happening. Since I have to adjust a few more NTFS rights it would be great if I can restore the oridinal NTFS rights if something goes wrong. Or different idea: getting a backup, copy the csv, edit the copy and adjust the information there to set new permissions afterwards (this was Jan-Hendriks idea). Regards Dirk — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#25>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVAoW3JzqcyKHZbSszB8cgO_JjdZbet1ks5s3B78gaJpZM4QgXAA>.

[DiHo78]

Additional note: if I run add-NTFSAccess -Path -Account -AccessRights it works fine.
So I can re-add the group manually. But it would be more efficient for me if it would work via the import-csv

[DiHo78]

Hi @jcardel
My idea is to export the permissions from a specific folder/subfolder.
Then edit the copy of the export to add additional rights.
I'll give it a try with your example.

[raandree]

@DiHo78, sorry for the late reply. I have had lost track on this project. I have just tested this procedure and it works just fine:

PS C:\Test> dir -Recurse | Get-NTFSAccess -ExcludeInherited | Export-Csv -Path c:\access.csv

PS C:\Test> Get-NTFSAccess -Path C:\Test\DscInfraSample\BuildOutput


    Path: C:\Test\DscInfraSample\BuildOutput (Inheritance enabled)


Account                             Access Rights           Applies to                Type                    IsInherited             InheritedFrom         
-------                             -------------           ----------                ----                    -----------             -------------         
NT AUTHORITY\BATCH                  FullControl             ThisFolderSubfoldersAn... Allow                   False                                         
DESKTOP-D7KNHS5\randr               ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow                   False                                         
NT AUTHORITY\Authenticated Users    Modify, Synchronize     ThisFolderOnly            Allow                   True                    C:\Test               
NT AUTHORITY\Authenticated Users    Delete, GenericExecu... SubfoldersAndFilesOnly    Allow                   True                    C:\Test               
NT AUTHORITY\SYSTEM                 FullControl             ThisFolderSubfoldersAn... Allow                   True                    C:\Test               
BUILTIN\Administrators              FullControl             ThisFolderSubfoldersAn... Allow                   True                    C:\Test               
BUILTIN\Users                       ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow                   True                    C:\Test               



PS C:\Test> Remove-NTFSAccess -Path C:\Test\DscInfraSample\BuildOutput -Account randr -AccessRights FullControl

PS C:\Test> Remove-NTFSAccess -Path C:\Test\DscInfraSample\BuildOutput -Account 'NT AUTHORITY\BATCH' -AccessRights FullControl

PS C:\Test> Get-NTFSAccess -Path C:\Test\DscInfraSample\BuildOutput


    Path: C:\Test\DscInfraSample\BuildOutput (Inheritance enabled)


Account                             Access Rights           Applies to                Type                    IsInherited             InheritedFrom         
-------                             -------------           ----------                ----                    -----------             -------------         
NT AUTHORITY\Authenticated Users    Modify, Synchronize     ThisFolderOnly            Allow                   True                    C:\Test               
NT AUTHORITY\Authenticated Users    Delete, GenericExecu... SubfoldersAndFilesOnly    Allow                   True                    C:\Test               
NT AUTHORITY\SYSTEM                 FullControl             ThisFolderSubfoldersAn... Allow                   True                    C:\Test               
BUILTIN\Administrators              FullControl             ThisFolderSubfoldersAn... Allow                   True                    C:\Test               
BUILTIN\Users                       ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow                   True                    C:\Test               



PS C:\Test> Import-Csv -Path C:\access.csv | Add-NTFSAccess

PS C:\Test> Get-NTFSAccess -Path C:\Test\DscInfraSample\BuildOutput


    Path: C:\Test\DscInfraSample\BuildOutput (Inheritance enabled)


Account                             Access Rights           Applies to                Type                    IsInherited             InheritedFrom         
-------                             -------------           ----------                ----                    -----------             -------------         
NT AUTHORITY\BATCH                  FullControl             ThisFolderSubfoldersAn... Allow                   False                                         
DESKTOP-D7KNHS5\randr               ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow                   False                                         
NT AUTHORITY\Authenticated Users    Modify, Synchronize     ThisFolderOnly            Allow                   True                    C:\Test               
NT AUTHORITY\Authenticated Users    Delete, GenericExecu... SubfoldersAndFilesOnly    Allow                   True                    C:\Test               
NT AUTHORITY\SYSTEM                 FullControl             ThisFolderSubfoldersAn... Allow                   True                    C:\Test               
BUILTIN\Administrators              FullControl             ThisFolderSubfoldersAn... Allow                   True                    C:\Test               
BUILTIN\Users                       ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow                   True                    C:\Test               

[ittchmh]

Hi!
I try to save permissions like in example above and no Applies to filed saved to CSV file, so permissions not restored
Get-NTFSAccess -ExcludeInherited -Path E:\Users | Export-Csv -Path E:\access.csv

CSV File content:

"AccountType","Name","FullName","InheritanceEnabled","InheritedFrom","AccessControlType","AccessRights","Account","InheritanceFlags","IsInherited","PropagationFlags"
"","Users","E:\Users","False","","Allow","FullControl","CREATOR OWNER","ContainerInherit, ObjectInherit","False","InheritOnly"
"","Users","E:\Users","False","","Allow","DeleteSubdirectoriesAndFiles, Modify, ChangePermissions, Synchronize","NT AUTHORITY\Authenticated Users","None","False","None"
"","Users","E:\Users","False","","Allow","FullControl","NT AUTHORITY\SYSTEM","ContainerInherit, ObjectInherit","False","None"
"group","Users","E:\Users","False","","Allow","FullControl","BUILTIN\Administrators","ContainerInherit, ObjectInherit","False","None"


PS E:\> Get-NTFSAccess -ExcludeInherited -Path E:\Users | FT -AutoSize


    Path: E:\Users (Inheritance disabled)


Account                          Access Rights                                                        Applies to                   Type  IsInherited InheritedFrom
-------                          -------------                                                        ----------                   ----  ----------- -------------
CREATOR OWNER                    FullControl                                                          SubfoldersAndFilesOnly       Allow False                    
NT AUTHORITY\Authenticated Users DeleteSubdirectoriesAndFiles, Modify, ChangePermissions, Synchronize ThisFolderOnly               Allow False                    
NT AUTHORITY\SYSTEM              FullControl                                                          ThisFolderSubfoldersAndFiles Allow False                    
BUILTIN\Administrators           FullControl                                                          ThisFolderSubfoldersAndFiles Allow False

[serpentes80]

Hi!
I try to save permissions like in example above and no Applies to filed saved to CSV file, so permissions not restored

that's exactly what I'm batteling wiht at the moment :-(

[raandree]

Not the most elegant way but this should solve it:

Get-NTFSAccess -Path D:\ | ForEach-Object { $_ | Add-Member -Name AppliesTo -MemberType NoteProperty -Value ([Security2.FileSystemSecurity2]::ConvertToApplyTo($_.InheritanceFlags, $_.PropagationFlags)) -PassThru } | Export-Csv d:\p.csv

#TYPE Security2.FileSystemAccessRule2
"AppliesTo","AccountType","Name","FullName","InheritanceEnabled","InheritedFrom","AccessControlType","AccessRights","Account","InheritanceFlags","IsInherited","PropagationFlags"
"ThisFolderOnly","","","D:\","True","","Allow","Traverse, ReadAttributes, ReadPermissions, Synchronize","Everyone","None","False","None"
"ThisFolderOnly","","","D:\","True","","Allow","Write, Delete, Read, Synchronize","NT AUTHORITY\INTERACTIVE","None","False","None"
"ThisFolderOnly","","","D:\","True","","Allow","Traverse, ReadAttributes, ReadPermissions, Synchronize","NT AUTHORITY\RESTRICTED","None","False","None"
"ThisFolderOnly","","","D:\","True","","Allow","FullControl","NT AUTHORITY\SYSTEM","None","False","None"
"ThisFolderOnly","","","D:\","True","","Allow","FullControl","BUILTIN\Administrators","None","False","None"