PowerShell - Editing permissions on a file or folder

infoblog » PowerShell - Editing permissions on a file or folder

infoblog » PowerShell - Editing permissions on a file or folder — Wed, 01 Oct 2008 15:59:46 GMT

PingBack from http://blog.a-foton.ru/index.php/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/

re: PowerShell - Editing permissions on a file or folder

Ronto — Thu, 02 Oct 2008 22:14:11 GMT

Say... I get the following error when I try your first example to copy folder permissions:

Set-Acl : The security identifier is not allowed to be the owner of this object

Any ideas why?

re: PowerShell - Editing permissions on a file or folder

JohanS — Fri, 03 Oct 2008 12:12:50 GMT

Good question.

You're obviously getting this error because you're trying to change the owner of the object. By default NTFS will only allow you to set the owner of an object to:

A: Yourself

B: Administrators-group

That's it.

However, if you're an administrator or backup operator you can set it to any user, BUT this privilige is disabled by default and must be enabled before you can do so. In case you're wondering - this is a concious security restriction.

There are no .NET or PowerShell specific ways of enabling this, but if we leave Microsoft-territory and visit the PowerShell Community Extensions project we find a way...

I havent used PSCX that much and it's not a Microsoft product so any questions on them should be directed to www.codeplex.com/PowerShellCX rather than here, but here goes:

Download and install PSCX from www.codeplex.com/PowerShellCX

Set up a wrapper class for TokenPriviliege using the following syntax:

$oTP = New-Object PSCX.Interop.TokenPriviliege

Now, grant it to the current process:

Set-Privilege $oTP

You should now be able to change the owner of the folder to any user you wish.

Have fun! / Johan

re: PowerShell - Editing permissions on a file or folder

Tony — Wed, 05 Nov 2008 21:06:42 GMT

I would like to create a powershell script that would scour an OU for any users that are missing a home folder, create the folder on a NAS, apply the appropriate permissions and then set their AD profile to use this new location. Here is what i have so far, any assistance would be very helpfull:

Get-QADUser -SizeLimit 0 -searchroot 'ou=***,ou=***,dc=***,dc=***,dc=***' | `

where{$_.homedirectory -eq $null} | `

foreach {

$NasPath = '\\NAS\'+$_.LogonName

New-Item -type directory -Path $NasPath

$Acl = Get-Acl $NasPath

$Ar = New-Object system.security.accesscontrol.filesystemaccessrule($_.LogonName,"FullControl","Allow")

$Acl.RemoveAccessRule($Ar)

Set-Acl $NasPath $Acl

Set-QADUser $_ -ObjectAttributes @{'HomeDirectory'= $NasPath; 'HomeDrive'='Y'}

}

Thanks,

Tony

re: PowerShell - Editing permissions on a file or folder

ewookie — Fri, 07 Aug 2009 19:18:36 GMT

When trying the sample code, I get the following error message after the last line:

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege whic

h is required for this operation.

I'm running the script under an account that has full control over the directory where I'm trying to create the new directory...

re: PowerShell - Editing permissions on a file or folder

JohanS — Tue, 11 Aug 2009 10:45:44 GMT

Are you running the script in Vista with UAC turned on?

Try running PowerShell with elevated privileges. (Run as administrator)

/ Johan

re: PowerShell - Editing permissions on a file or folder

Nisha — Fri, 11 Dec 2009 11:04:49 GMT

Hi Johan,

I too got the same error of

Set-Acl : The security identifier is not allowed to be the owner of this object

As per your comment above, I tried installing the PSCX from codeplex. I also installed it as a PS Plug-in. When I try,

$oTP = New-Object PSCX.Interop.TokenPriviliege

I get the following error:

New-Object : Cannot find type [PSCX.Interop.TokenPriviliege]: make sure the assembly containing this type is loaded.

I am running Powershell v 1.0

Am I missing anything here?

Thanks,

Nisha