Apologies, it should have been $SD.Properties["DACL"]. However, if
you're creating a security descriptor you need the ManagementObject not
Extending that with a bit of an example we end up with:
# A shortcut to create the management class
$SDClass = [WMIClass]"Win32_SecurityDescriptor"
# Create a new instance of the management object from the class.
$SD = $SDClass.CreateInstance()
# Create an Access Control Entry - shorter version of creation
$ACE = ([WMIClass]"Win32_ACE").CreateInstance()
# Create a Trustee
$Trustee = ([WMIClass]"Win32_Trustee").CreateInstance()
# Assign a username and password. Setting a SID is an alternative here.
$Trustee.Name = "someone"
$Trustee.Domain = "domain"
# Assign the trustee to the ACE
$ACE.Trustee = $Trustee
# These need values according to the rights you wish to grant
# An Allow ACE:
$ACE.AceType = [Security.AccessControl.AceType]::AccessAllowed
# Full Control:
$ACE.AccessMask = [Security.AccessControl.FileSystemRights]::FullControl
# Add the new ACE to the (currently blank) DACL
$SD.DACL = $ACE
You're trying to create a Security Descriptor for use with the Create
method under Win32_Share?
AccessMask values are here:
AceFlags aren't really relevant for shares, they tend to be nothing.