-
-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add-NTFSAccess 1307 Error #34
Comments
Do you work on a nun en-us workstation? Meaning, does the BUILTIN\Administrators group has a different name on the machine the code runs on? |
I work on en-us only software versions supporting the US Army. We have a mixture of Windows 10 1607 and 1709 versions in our organization. The NetApp operating system is Clustered Data ONTAP 9.3P6. |
What NTFSSecurty does internally is to convert the username into an object of type[Security2.IdentityReference2] that stores the username plus the SID. Does the following command work when hitting the error?
Security2.IdentityReference2 is a non-standard class coming with NTFSSecurity. Internally it uses the .net standard class System.Security.Principal.NTAccount and System.Security.Principal.SecurityIdentifier.
Do you observe the error only when working on a NetApp volume or can you repro the issue also on a local drive? |
The commands you sent both work without any errors and produce the same SID
values. I cannot reproduce the error on a local drive. The error only
happens when the path is "\\netappfiler\sharename\folder"
icacls works using the same path "\\netappfiler\sharename\folder" without
any errors.
…On Thu, Aug 16, 2018 at 4:10 AM Raimund Andrée [MSFT] < ***@***.***> wrote:
What NTFSSecurty does internally is to convert the username into an object
of type[Security2.IdentityReference2] that stores the username plus the
SID. Does the following command work when hitting the error?
PS C:\> [Security2.IdentityReference2]'BUILTIN\Administrators'
Sid AccountName LastError
--- ----------- ---------
S-1-5-32-544 BUILTIN\Administrators
Security2.IdentityReference2 is a non-standard class coming with
NTFSSecurity. Internally it uses the .net standard class
System.Security.Principal.NTAccount and
System.Security.Principal.SecurityIdentifier.
PS C:\> $p = [System.Security.Principal.NTAccount]'BUILTIN\Administrators'
PS C:\> $p.Translate([System.Security.Principal.SecurityIdentifier])
BinaryLength AccountDomainSid Value
------------ ---------------- -----
16 S-1-5-32-544
Do you observe the error only when working on a NetApp volume or can you
repro the issue also on a local drive?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AoEjPezR2X8W4aXkAWrUcu_YWBb10R3sks5uRVMKgaJpZM4VuSr5>
.
|
I am unable to repro this, I do not have access to a NetApp filer. I can add additional debug logging to the cmdlets to help tackle this. Would you mind investing a little bit more time? |
Yes I am willing to help if you send my a build that includes logging.
…On Fri, Aug 17, 2018 at 12:19 PM Raimund Andrée [MSFT] < ***@***.***> wrote:
I am unable to repro this, I do not have access to a NetApp filer. I can
add additional debug logging to the cmdlets to help tackle this. Would you
mind investing a little bit more time?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AoEjPU3aiqjWr_Jtqwtv9n-4gDZ-3H7Aks5uRxdfgaJpZM4VuSr5>
.
|
Hello! I'm also getting a 1307 error when I try to add NTFS permissions. I use UNC paths (anything that starts with \\ ). I run windows 10 1709, en-us only. I'm willing to help investigate, too, as this has been such a useful tool. |
I'm having this same issue with all builds from version 4.0 up. I had to go back to a manual install of 3.2.3 to resolve the issue. We have a very standard enterprise all-Microsoft environment for our file shares. Servers are 2012 R2 running DFS namespaces and DFS replication. The service account used for these operations has full control access to all shares, both SMB and NTFS. It is not an admin on the file server and is not an admin on the task server from which it runs, as neither of those are necessary for these operations. As others have said, I also greatly appreciate your development efforts on this wonderful module and I would be willing to help troubleshoot if you would like me to try a build with enhanced logging or other changes. I'll have to stick with a manual install of 3.2.3 for now and hope it doesn't break at some point. Thanks! |
@Sup3rlativ3, I have received your commend to that issue by email but do not see it here. NTFSSecurity just uses the standard .net methods to do the name translation (SID<>SamAccountName). If this happens again, can you please try the following in PowerShell to verify that? If the error occurs again, you should see something similar to this:
You should see the same error when calling the name translation method directly:
If the account exists, it returns an object containing the SID and the account name:
Thanks for any help troubleshooting this! |
@raandree I withdrew the comment as I found I had made a mistake and that was the cause of the error. I didn't want to muddy the waters with an incorrect report. |
I have the same problem. Also NetApp filer. But with DFS pointing to filer. |
Trying to use Add-Ntfsaccess yields the same error for me. Also NetApp with DFS in front. The module has worked for me in the past, feels bad having to fall back to icacls |
Have you tried making a share on the filer, with root access, and using that to set security? |
It works when the running account is the owner of the file, but taking ownership is a bit of an annoyance in most of my cases |
This snip from my "user folder creation script" always works, but the share i am accessing this through is an extra one (with the added "r") with only this purpose and "root access". I would recommend you using something a like this (Owner Rights), then users can never mess with the security or anything else really, which is a desired configuration. |
I had the same issue but I was able to fix it, or more by-passing it. Here is a part of my code. Add-NTFSAccess was generating this error 1307. I wrote the script but I'm not the one actually using it. I don't have enough permissions on servers. So it was difficult to reproduce. I only use literal paths as we need to handle long paths.
Rename-Path function add a prefix to the path as we use extented-length path with the |
So, the problem was not what I explained in my previous comment at all. The guy who tested the script just didn't run it as admin. |
i am having same problem on windows server 2019 i cant resolve a user/group from the domain but it work with local users, any idea? If I get the effective permissions from properties-security-advanced window it works for the domain group also. Local users ok
domain users: ERROR
|
@agonzalezm are you running this elevated e.g. "as admin"? |
Thanks for reporting the issue and for the patience. Finally, I have reproduced the issue together with a customer. In fact, the error is more basic than expected and happens if the user running the cmdlet is not a local administrator / does not have the backup and restore privilege. I am working on a fix. |
Regarding this:
"I encounter the same problem when I try to change some permissions on a folder located on an SMB share on an EMC NAS.
I don't have local administrator rights on the EMC NAS hosting the share.
However, I have full control on the targeted folder."
I have an EMC NAS too, and have been using this module for about 10 years. The only way to set "OWNER" and permissions on the root folder, is that it is allowed in the share options, and you need local root. I have an extra share, where my admin account impersonates root, only way to set OWNER. All other permissions, I have no issue applying over SMB.
Like this:
[cid:1c4b9bfa-3c77-4229-ab22-4433f6f623c6]
I wonder if this "fix" will address this specificly or not.
Med venlig hilsen / Best regards
|--Johan Cardel
\--Storage admin
…________________________________
Fra: tberta ***@***.***>
Sendt: 25. maj 2023 18:09
Til: raandree/NTFSSecurity ***@***.***>
Cc: Johan Cardel ***@***.***>; Comment ***@***.***>
Emne: Re: [raandree/NTFSSecurity] Add-NTFSAccess 1307 Error (#34)
I encounter the same problem when I try to change some permissions on a folder located on an SMB share on an EMC NAS.
I don't have local administrator rights on the EMC NAS hosting the share.
However, I have full control on the targeted folder.
No issue with the translation to SID:
PS Z:\> $p = [System.Security.Principal.NTAccount]'Domain\John.Die'
PS Z:\> $p.Translate([System.Security.Principal.SecurityIdentifier])
BinaryLength AccountDomainSid Value
------------ ---------------- -----
28 S-1-5-21-448539723-790525478-<snip> S-1-5-21-448539723-79052...
But setting right failed on "This security ID may not be assigned as the owner of this object"
PS Z:\>
PS Z:\> Add-NTFSAccess -Path $path -Account $account -AccessRights Modify -InheritanceFlags ObjectInherit,ContainerInherit
Add-NTFSAccess : (1307) This security ID may not be assigned as the owner of this object: [z:\John.Die]
At line:1 char:1
+ Add-NTFSAccess -Path $path -Account $account -AccessRights Modify -In ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (z:\John.Die:String) [Add-NTFSAccess
], IOException
+ FullyQualifiedErrorId : AddAceError,NTFSSecurity.AddAccess
PS Z:\> get-module ntfssecurity
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 4.2.6 NTFSSecurity {Add-NTFSAccess, A...
The same operation with icacls.exe succeed.
When observing with Process Monitor, we see that Add-NTFSAccess try to write Owner and not only the requested DACL.
See Process monitor screenshots comparing icacls.exe and Add-NTFSAccess
[Process monitor - icacls]<https://user-images.githubusercontent.com/29402410/240972439-979c1a90-a445-40f3-af71-1c8187733182.png>
[Process monitor icacls Details]<https://user-images.githubusercontent.com/29402410/240972447-560de5e1-a7d5-4712-b46f-1f3b2d428ffb.png>
[Process monitor Add-NTFSAccess]<https://user-images.githubusercontent.com/29402410/240972457-e09dab67-7060-4662-a26b-19b33dca7f3c.png>
[Process monitor Add-NTFSAccess Details]<https://user-images.githubusercontent.com/29402410/240972455-6014dd19-7c4b-4d25-a0aa-803e0bb03d9e.png>
—
Reply to this email directly, view it on GitHub<#34 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AFICQW5IVWWNSD2B2HLM4PLXH575JANCNFSM4FNZFL4Q>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Hello! Any news on that topic? |
Recently started getting 1307 error
Add-NTFSAccess : (1307) This security ID may not be assigned as the owner of this object:
When trying to add BUILTIN\Administrators group permissions on a NetApp Folder.
The folder is owned by BUILTIN\Administrators and my AD user account is a member of the group.
I was able to use ICACLS to grant BUILTIN\Administrators permissions to the folder.
The text was updated successfully, but these errors were encountered: