Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add-NTFSAccess behaves differently for UNC Path vs Absolute Path #67

Open
anujpotnis opened this issue Apr 6, 2020 · 2 comments
Open

Add-NTFSAccess behaves differently for UNC Path vs Absolute Path #67

anujpotnis opened this issue Apr 6, 2020 · 2 comments
Assignees
@raandree
Labels
Question Someone has a question about feature or usability

Comments

@anujpotnis
Copy link

When I run Add-NTFSAccess with an UNC Path, it removes all the previous users and adds only the user for which I added permissions. When I run with Absolute Path, it adds to the previous users.

# Define variables
  $rootFolderPath = 'C:\'
  $folder = 'SomeFolder'

# Share folder using SMB
  $fullFolderPath = $rootFolderPath + $folder
  New-SmbShare -Name $folder -Path $fullFolderPath -FullAccess 'Everyone'

# Set NTFS Permissions
  # UNC Path
  $fullFolderPath = '\\' + $env:COMPUTERNAME + '\' + $folder
  # Absolute Path
  # $fullFolderPath = $rootFolderPath + $folder

  $group = $env:USERDOMAIN + '\' + 'someGroup'

  $X1 = @{
    Path         = $fullFolderPath
    Account      = $group
    AccessRights = 'FullControl'
    AccessType   = 'Allow'
    AppliesTo    = 'ThisFolderSubfoldersAndFiles'
  }
  Add-NTFSAccess @X
@raandree raandree self-assigned this Apr 25, 2020
@raandree raandree added the Question Someone has a question about feature or usability label Apr 25, 2020
@raandree
Copy link
Owner

Unfortunately, I cannot reproduce the behavior. When cleaning the ACL on a local and remote folder and adding 3 ACEs, it looks as expected:

$d1 = mkdir -Path \\dscdo01\Artifacts\Test -Force
$d2 = mkdir -Path D:\Test -Force

$d1 | Clear-NTFSAccess -DisableInheritance
$d2 | Clear-NTFSAccess -DisableInheritance

$d1 | Add-NTFSAccess -Account randr -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d1 | Add-NTFSAccess -Account Test1 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d1 | Add-NTFSAccess -Account Test2 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

$d2 | Add-NTFSAccess -Account randr -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d2 | Add-NTFSAccess -Account Test1 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles
$d2 | Add-NTFSAccess -Account Test2 -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

$d1 | Get-NTFSAccess
$d2 | Get-NTFSAccess

The output of Get-NTFSAccess is ths:

    Path: \\dscdo01\Artifacts\Test (Inheritance disabled)


Account                             Access Rights                   Applies to                Type                            IsInherited                     InheritedFrom                  
-------                             -------------                   ----------                ----                            -----------                     -------------                  
RAANDREE2\randr                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test1                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test2                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          


    Path: D:\Test (Inheritance disabled)


Account                             Access Rights                   Applies to                Type                            IsInherited                     InheritedFrom                  
-------                             -------------                   ----------                ----                            -----------                     -------------                  
RAANDREE2\randr                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test1                     FullControl                     ThisFolderSubfoldersAn... Allow                           False                                                          
RAANDREE2\Test2                     FullControl                     ThisFolderSubfoldersAn... Allow                           False

Can you provide some more details about what is going wrong?

@anujpotnis
Copy link
Author

Maybe the reason you are unable to reproduce is because you clear the ACL. Can you please try your example without the statements:
$d1 | Clear-NTFSAccess -DisableInheritance
$d2 | Clear-NTFSAccess -DisableInheritance

Or you can try this (after replacing the Account):

mkdir -Path C:\TestAbs -Force
New-SmbShare -Name TestAbs -Path C:\TestAbs -FullAccess 'Everyone'

$AbsPathACL = @{
    Path         = 'C:\TestAbs'
    Account      = 'sspAdmin1'
    AccessRights = 'FullControl'
    AccessType   = 'Allow'
    AppliesTo    = 'ThisFolderSubfoldersAndFiles'
  }
  Add-NTFSAccess @AbsPathACL
  Get-NTFSAccess

mkdir -Path C:\TestUNC -Force
New-SmbShare -Name TestUNC -Path C:\TestUNC -FullAccess 'Everyone'

$UNCPathACL = @{
    Path         = '\\DC1\TestUNC'
    Account      = 'sspAdmin1'
    AccessRights = 'FullControl'
    AccessType   = 'Allow'
    AppliesTo    = 'ThisFolderSubfoldersAndFiles'
  }
  Add-NTFSAccess @UNCPathACL


Get-NTFSAccess -Path 'C:\TestAbs'
Get-NTFSAccess -Path '\\DC1\TestUNC'

And the output for the Get-NTFSAccess respectively

 PS C:\> Get-NTFSAccess -Path 'C:\TestAbs'


    Path: C:\TestAbs (Inheritance enabled)


Account                             Access Rights                             Applies to                Type                                      IsInherited                               InheritedFrom                            
-------                             -------------                             ----------                ----                                      -----------                               -------------                            
SSPIPE\sspAdmin1                    FullControl                               ThisFolderSubfoldersAn... Allow                                     False                                                                              
NT AUTHORITY\SYSTEM                 FullControl                               ThisFolderSubfoldersAn... Allow                                     True                                      C:                                       
BUILTIN\Administrators              FullControl                               ThisFolderSubfoldersAn... Allow                                     True                                      C:                                       
BUILTIN\Users                       ReadAndExecute, Synchronize               ThisFolderSubfoldersAn... Allow                                     True                                      C:                                       
BUILTIN\Users                       CreateDirectories                         ThisFolderAndSubfolders   Allow                                     True                                      C:                                       
BUILTIN\Users                       CreateFiles                               ThisFolderAndSubfolders   Allow                                     True                                      C:                                       
CREATOR OWNER                       GenericAll                                SubfoldersAndFilesOnly    Allow                                     True                                      C:

and

 PS C:\> Get-NTFSAccess -Path '\\DC1\TestUNC'


    Path: \\DC1\TestUNC (Inheritance enabled)


Account                             Access Rights                             Applies to                Type                                      IsInherited                               InheritedFrom                            
-------                             -------------                             ----------                ----                                      -----------                               -------------                            
SSPIPE\sspAdmin1                    FullControl                               ThisFolderSubfoldersAn... Allow                                     False

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@raandree raandree

Labels
Question Someone has a question about feature or usability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anujpotnis @raandree