I have the following code which is supposed to go through the folders in the fileshare and turn whatever permissions there are into read permissions. However, there is a problem: it doesn't replace the permissions already there it merely adds to them. Secondly, if the folder has not got inherited permissions it gives an error saying
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
I have checked the permissions and I have full control on them
function NotMigrated($SiteURL, $Folder) {
try {
$SiteString=[String]$SiteURL
$pos = $SiteString.LastIndexOf("/")
$Site = $SiteString.Substring($pos+1)
$parent=((get-item $Folder ).parent).Fullname
$AllFolders = Get-ChildItem -Recurse -Path $Folder |? {$_.psIsContainer -eq $True}
$FilesInRoot = Get-ChildItem -Path $Folder | ? {$_.psIsContainer -eq $False}
$acl= get-acl $Folder
foreach ($usr in $acl.access) {
$acl.RemoveAccessRule($usr)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($usr.IdentityReference,"Read","none","none","Allow")
$Acl.AddAccessRule($rule)
}
$acl | Set-Acl
} catch { continue }
#Loop through all folders (recursive) that exist within the folder supplied by the operator
foreach ($CurrentFolder in $AllFolders) {
#Set the FolderRelativePath by removing the path of the folder supplied by the operator from the fullname of the folder
$FolderRelativePath = ($CurrentFolder.FullName).Substring($Folder.Length)
$FileSource = $Folder + $FolderRelativePath
try {
$acl= get-acl $FileSource
foreach ($usr in $acl.access) {
$acl.RemoveAccessRule($usr)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($usr.IdentityReference,"Read","none","none","Allow")
$acl.AddAccessRule($rule)
}
$acl | Set-Acl
} catch { continue }
#For each file in the source folder being evaluated, call the UploadFile function to upload the file to the appropriate location
}
}
The biggest problem isn't with your code, but with the Set-Acl Cmdlet/FileSystem provider combination. When Set-Acl is being called, an attempt to write the entire security descriptor is being made. If you're not elevated (or if your administrator account hasn't been granted SeRestorePrivilege), that's not going to work. If you are elevated, though, there's a chance you're destroying your SACL on the file/folder that you're modifying.
For that reason, I'd avoid using Set-Acl at all costs until the bugs I've linked to above are fixed. Instead, you can use the SetAccessControl() method available to file and folder objects:
(Get-Item c:\path\to\folder).SetAccessControl()
Once you do that, you shouldn't see the SeSecurityPrivilege errors anymore. You'll still have these two problems, though:
I think this modified version of a piece of your code should do what you're looking for:
try {
$acl = get-acl $FileSource
# Only look for explicit Allow ACEs
foreach ($usr in ($acl.access | where { $_.IsInherited -eq $false -and $_.AccessControlType -eq 'Allow' })) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$usr.IdentityReference,
"Read",
$usr.InheritanceFlags,
$usr.PropagationFlags,
$usr.AccessControlType
)
# Calling SetAccessRule() is like calling Remove() then Add()
$acl.SetAccessRule($rule)
}
(Get-Item $FileSource).SetAccessControl($acl)
} catch { continue }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With