I'm trying to add access rights for the user group IIS_IUSRS
to a folder using PowerShell.
Currently I have
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\IIS_IUSRS", "FullControl", "Allow")
$acl = Get-ACL "C:\tmp"
$acl.AddAccessRule($accessRule)
Set-ACL -Path "C:\tmp" -ACLObject $acl
When run, this adds IIS_IUSRS to the list of users but there are no privileges assigned.
What have I missed?
This cmdlet is only available on the Windows platform. To use Set-Acl , use the Path or InputObject parameter to identify the item whose security descriptor you want to change. Then, use the AclObject or SecurityDescriptor parameters to supply a security descriptor that has the values you want to apply.
On my system i needed to use just IIS_IUSRS
, so drop the BUILTIN\
.
Furthermore, I think you need to construct the FileSystemAccessRule with extra parameters inheritanceFlags
and propagationFlags
to get what you want.
Try this:
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-ACL "C:\tmp"
$acl.AddAccessRule($accessRule)
Set-ACL -Path "C:\tmp" -ACLObject $acl
See: https://msdn.microsoft.com/en-us/library/sfe70whw(v=vs.110).aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With