PowerShell Set-Acl New-Object : Cannot find an ove

2019-06-02 10:54发布

I worked out all of the parts of my script that creates directory names, creates the directories based on a predefined directory structure, creates an AD group based on a project number appended to a hard-coded name, and then adds the group to a particular directory, and sets the ACL for that group.

I cannot seem to bypass the error:

New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4".

Here is the script:

    $domain="DOMAIN"
    $tldn="net"

    $pathArr=@()
    $pathArr+=$path1=Read-Host -Prompt "Enter first path"
    $pathArr+=$path2=Read-Host -Prompt "Enter second path"
    [int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
    [string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
    $projectNumberString=[string]$projectNumber
    $projectName=Read-Host -Prompt "Please give the project name"
    $fullProjectName="${projectNumberString}_${projectName}"
    $pathArr+=$path3="$path1\$mainFolder"
    $pathArr+=$path4="$path2\$mainFolder"
    $pathArr+=$path5="$path3\$fullProjectName"
    $pathArr+=$path6="$path4\$fullProjectName"

    # Region: Create organizational units in Active Directory
    # Names
    $ouN1="XYZOU"
    $ouN2="ABCOU"

    # Paths
    $ouP0="DC=$domain,DC=$tldn"
    $ouP1="OU=$ouN1,$ouP0"
    $ouP2="OU=$ouN2,$ouP1"

    Write-Host "Checking for required origanization units..."
    try
    {
        New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
        New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2

    }
    catch
    {
        Out-Null
    }

    Write-Host "Creating AD Group..."
    [string]$group="BEST_${projectNumberString}"
    $groupdomain="$domain\$group"

    $ADGroupParams= @{
        'Name' = "$group" 
        'SamAccountName' = "$group" 
        'GroupCategory' = "Security"
        'GroupScope' = "Global"
        'DisplayName' = "$group"
        'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
        'Description' = "Test share"
    }
    $secgroup=New-ADGroup @ADGroupParams

    # Region: Set permissions
    Write-Host "Setting permissions..."

    # get permissions
    $acl = Get-Acl -Path $path6

    # add a new permission
    $InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
    $InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
    $AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
    $permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
    $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
    $acl.SetAccessRule($rule)

    # set new permissions
    $acl | Set-Acl -Path $path6

Again, I am trying to do what I would normally do manually in Active Directory in a Windows Environment

  1. Create an AD Group
  2. Add the group to a share
  3. Set permissions to the group
  4. This script doesn't add the users to the group

The last and final step is setting the permission; unfortunately, when I run the script, change the syntax or the method ( following examples from several articles online ) and spending hours on this now, I just am making no progress. The only progress was that the number it could not overload went down from 18 to 4.

Thank you for your help in advance!

EDIT

I amended the script per a comment pointing out that I missed the $FileSystemAccessRights argument.

The $permission variable was changed to:

$permission = "$groupdomain", "$FileSystemAccessRights", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"

I still get this output:

New-Object : Cannot convert argument "1", with value: "ExecuteFile Executefile ListDirectory ReadData ReadAttributes 
ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData WriteAttributes 
WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions", for "FileSystemAccessRule" to type 
"System.Security.AccessControl.FileSystemRights": "Cannot convert value "ExecuteFile Executefile ListDirectory ReadData 
ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData 
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions" to type 
"System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name ExecuteFile Executefile ListDirectory 
ReadData ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData 
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions to a valid enumerator name.  Specify one of the 
following enumerator names and try again: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, 
ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes, 
WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, 
FullControl""

EDIT

I tried removing the quotes from the variables because it seems like each variable had quotes already except for $groupdomain, and then got this error:

New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type 
"System.Security.AccessControl.FileSystemRights": "Cannot convert value 
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit, 
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to 
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name 
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit, 
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a 
valid enumerator name.  Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData, 
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, 
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, 
ChangePermissions, TakeOwnership, Synchronize, FullControl""

EDIT

Tried what Stephen suggested by surrounding he entire New-Object with quotes and then got this error:

Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList 
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type 
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName 
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None 
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."

EDIT

The error went away, but I still don't see any group added to the Security properties of $path6.

I was able to also add all of the permissions, theoretically, by doing this:

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse,Executefile,ListDirectory,ReadData, ReadAttributes, ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles, ReadPermissions"

2条回答
该账号已被封号
2楼-- · 2019-06-02 11:10

New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "5".

The solution for this error is that your variables are expanded without being strings (no quotes around the string). So, any comas within the string variable are parsed as arguments.

Powershell can expand variables as strings with the @clause.

Solution:

$permission = @($groupdomain), @($InheritanceFlags), @($PropagationFlags), @($AccessControl)
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission

However, what you've done in your example...

$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"

... is a bit of recreating the wheel and can lead into problems, which you encountered. Also, you passed the arguments without any ADuser or SID, which gave you also those errors.


Reliable Solution

Applies also to this question: PowerShell ACL Not Applying
First, things like

$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
    $InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”

are verbose and it is hard to tell what you get (strings, objects, enum...) As the enumeration of these properties are set yet in the EnumerationObjects of these, you can pass literally the strings as arguments:

$InheritanceFlags = "ContainerInherit, ObjectInherit"
$FileSystemAccessRights = "Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions"
.
etc...

I encountered also a wrong statement in the $FileSystemAccessRights array you've created: 'ContainerInherit, ObjectInherit' shouldn't be in there. This is not a valid enumeration string.
See: FileSystemRights-Enumeration

That's why you've gotten this error: Unable to match the identifier name for $FileSystemAccessRights variable.

Second, the FileSystemAccessRule class needs 3 or 5 arguments passed.
See: FileSystemAccessRule-Class

  • IdentityReference (SID or full samaccountname from AD)
  • FileSystemRights (Enumerations enclosed as string and split by comma)
  • [optional]InheritanceFlags
  • [optional]PropagationFlags
  • AccessControlType (String; if "Deny" or "Allow")

Make sure you pass whether 3 or 5 arguments to it, no more, no less.

Third, set the ACL in a reliable way:

 # Region: Set permissions
 Write-Host "Setting permissions..."

    # get permissions
    $acl = Get-Acl -Path $path6

    # add a new permission
    $user = $secgroup
    $InheritanceFlags="ContainerInherit, ObjectInherit"
    $FileSystemAccessRights="Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions"
    $InheritanceFlags="ContainerInherit, ObjectInherit"
    $PropagationFlags="None"
    $AccessControl="Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(@($user), @($FileSystemAccessRights), @($InheritanceFlags), @($PropagationFlags), @($AccessControl))
    $acl.SetAccessRule($rule)
    #set new permissions
    path6.SetAccessControl($acl)

Note that I use the functions in other manner as OP posted and OP forgot to pass the $secgroup variable to the function. This is in my experience the most reliable way of setting ACL in powershell.

查看更多
ら.Afraid
3楼-- · 2019-06-02 11:18

You forgot $FileSystemAccessRights in the arguments

$permission =  $groupdomain, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl

Edit, remove the double quotes.

You still have two issues:

First create a $principal object

$principal = New-Object System.Security.Principal.NTAccount($groupdomain)

Then try reducing that $FileSystemAccessRights because it has issues, try something simple to start with like Read/Write access.

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Read, Write"

Update the creation of the variable $permission to include the principal:

$permission = $principal, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl
查看更多
登录 后发表回答