• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Set security DACL issues

J

Jason Ferguson

#1
Hi,

I'm trying to debug a script that imports share info to recreate backup
shares, however I've run into a problem with a line of code:

PS H:\> $sd = new-object system.management.managementclass
Win32_SecurityDescriptor
PS H:\> $sd

NameSpace: ROOT\cimv2

Name Methods Properties
---- ------- ----------
Win32_SecurityDescriptor {} {ControlFlags,
DACL, Group, Owner...}

PS H:\> $sd.DACL = @()

Gives the error:

Property 'DACL' cannot be found on this object; make sure it exists and is
settable.
At line:1 char:5
+ $sd. <<<< DACL = @()
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException

Any ideas and pointers to why this is happening? I'm only two weeks into
working with powershell and am getting to grips with the basics.
 

My Computer

C

Chris Dent

#2
It's part of the Properties set:

$sd.Properties.DACL

HTH

Chris

Jason Ferguson wrote:

> Hi,
>
> I'm trying to debug a script that imports share info to recreate backup
> shares, however I've run into a problem with a line of code:
>
> PS H:\> $sd = new-object system.management.managementclass
> Win32_SecurityDescriptor
> PS H:\> $sd
>
> NameSpace: ROOT\cimv2
>
> Name Methods Properties
> ---- ------- ----------
> Win32_SecurityDescriptor {} {ControlFlags,
> DACL, Group, Owner...}
>
> PS H:\> $sd.DACL = @()
>
> Gives the error:
>
> Property 'DACL' cannot be found on this object; make sure it exists and is
> settable.
> At line:1 char:5
> + $sd. <<<< DACL = @()
> + CategoryInfo : InvalidOperation: (:) [], RuntimeException
> + FullyQualifiedErrorId : PropertyAssignmentException
>
> Any ideas and pointers to why this is happening? I'm only two weeks into
> working with powershell and am getting to grips with the basics.
 

My Computer

J

Jason Ferguson

#3
Thanks Chris that makes a bit more sense but I'm still having issues working
with it.

PS H:\> $sd.properties.DACL = @()

Property 'DACL' cannot be found on this object; make sure it exists and is
settable.
At line:1 char:16
+ $sd.properties. <<<< DACL = @()
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException

I suspect it's something to do with the way the original script was written.


"Chris Dent" wrote:

>
> It's part of the Properties set:
>
> $sd.Properties.DACL
>
> HTH
>
> Chris
>
> Jason Ferguson wrote:

> > Hi,
> >
> > I'm trying to debug a script that imports share info to recreate backup
> > shares, however I've run into a problem with a line of code:
> >
> > PS H:\> $sd = new-object system.management.managementclass
> > Win32_SecurityDescriptor
> > PS H:\> $sd
> >
> > NameSpace: ROOT\cimv2
> >
> > Name Methods Properties
> > ---- ------- ----------
> > Win32_SecurityDescriptor {} {ControlFlags,
> > DACL, Group, Owner...}
> >
> > PS H:\> $sd.DACL = @()
> >
> > Gives the error:
> >
> > Property 'DACL' cannot be found on this object; make sure it exists and is
> > settable.
> > At line:1 char:5
> > + $sd. <<<< DACL = @()
> > + CategoryInfo : InvalidOperation: (:) [], RuntimeException
> > + FullyQualifiedErrorId : PropertyAssignmentException
> >
> > Any ideas and pointers to why this is happening? I'm only two weeks into
> > working with powershell and am getting to grips with the basics.
> .
>
 

My Computer

C

Chris Dent

#4
Hi Jason,

Apologies, it should have been $SD.Properties["DACL"]. However, if
you're creating a security descriptor you need the ManagementObject not
the ManagementClass.

Extending that with a bit of an example we end up with:

# A shortcut to create the management class
$SDClass = [WMIClass]"Win32_SecurityDescriptor"
# Create a new instance of the management object from the class.
$SD = $SDClass.CreateInstance()

# Create an Access Control Entry - shorter version of creation
$ACE = ([WMIClass]"Win32_ACE").CreateInstance()
# Create a Trustee
$Trustee = ([WMIClass]"Win32_Trustee").CreateInstance()
# Assign a username and password. Setting a SID is an alternative here.
$Trustee.Name = "someone"
$Trustee.Domain = "domain"

# Assign the trustee to the ACE
$ACE.Trustee = $Trustee

# These need values according to the rights you wish to grant
# An Allow ACE:
$ACE.AceType = [Security.AccessControl.AceType]::AccessAllowed
# Full Control:
$ACE.AccessMask = [Security.AccessControl.FileSystemRights]::FullControl

# Add the new ACE to the (currently blank) DACL
$SD.DACL = $ACE

# etc...

You're trying to create a Security Descriptor for use with the Create
method under Win32_Share?

AccessMask values are here:

http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx

AceTypes here:

http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.acetype.aspx

AceFlags aren't really relevant for shares, they tend to be nothing.

HTH

Chris
 

My Computer