I worked out all of the parts of my script that creates directory names, creates the directories based on a predefined directory structure, creates an AD group based on a project number appended to a hard-coded name, and then adds the group to a particular directory, and sets the ACL for that group.
I cannot seem to bypass the error:
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4".
Here is the script:
$domain="DOMAIN"
$tldn="net"
$pathArr=@()
$pathArr+=$path1=Read-Host -Prompt "Enter first path"
$pathArr+=$path2=Read-Host -Prompt "Enter second path"
[int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
[string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
$projectNumberString=[string]$projectNumber
$projectName=Read-Host -Prompt "Please give the project name"
$fullProjectName="${projectNumberString}_${projectName}"
$pathArr+=$path3="$path1\$mainFolder"
$pathArr+=$path4="$path2\$mainFolder"
$pathArr+=$path5="$path3\$fullProjectName"
$pathArr+=$path6="$path4\$fullProjectName"
# Region: Create organizational units in Active Directory
# Names
$ouN1="XYZOU"
$ouN2="ABCOU"
# Paths
$ouP0="DC=$domain,DC=$tldn"
$ouP1="OU=$ouN1,$ouP0"
$ouP2="OU=$ouN2,$ouP1"
Write-Host "Checking for required origanization units..."
try
{
New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2
}
catch
{
Out-Null
}
Write-Host "Creating AD Group..."
[string]$group="BEST_${projectNumberString}"
$groupdomain="$domain\$group"
$ADGroupParams= @{
'Name' = "$group"
'SamAccountName' = "$group"
'GroupCategory' = "Security"
'GroupScope' = "Global"
'DisplayName' = "$group"
'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
'Description' = "Test share"
}
$secgroup=New-ADGroup @ADGroupParams
# Region: Set permissions
Write-Host "Setting permissions..."
# get permissions
$acl = Get-Acl -Path $path6
# add a new permission
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# set new permissions
$acl | Set-Acl -Path $path6
Again, I am trying to do what I would normally do manually in Active Directory in a Windows Environment
- Create an AD Group
- Add the group to a share
- Set permissions to the group
- This script doesn't add the users to the group
The last and final step is setting the permission; unfortunately, when I run the script, change the syntax or the method ( following examples from several articles online ) and spending hours on this now, I just am making no progress. The only progress was that the number it could not overload went down from 18 to 4.
Thank you for your help in advance!
EDIT
I amended the script per a comment pointing out that I missed the $FileSystemAccessRights
argument.
The $permission
variable was changed to:
$permission = "$groupdomain", "$FileSystemAccessRights", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
I still get this output:
New-Object : Cannot convert argument "1", with value: "ExecuteFile Executefile ListDirectory ReadData ReadAttributes
ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData WriteAttributes
WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value "ExecuteFile Executefile ListDirectory ReadData
ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions" to type
"System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name ExecuteFile Executefile ListDirectory
ReadData ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions to a valid enumerator name. Specify one of the
following enumerator names and try again: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes,
WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize,
FullControl""
EDIT
I tried removing the quotes from the variables because it seems like each variable had quotes already except for $groupdomain
, and then got this error:
New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a
valid enumerator name. Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData,
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify,
ChangePermissions, TakeOwnership, Synchronize, FullControl""
EDIT
Tried what Stephen suggested by surrounding he entire New-Object with quotes and then got this error:
Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."
EDIT
The error went away, but I still don't see any group added to the Security properties of $path6
.
I was able to also add all of the permissions, theoretically, by doing this:
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse,Executefile,ListDirectory,ReadData, ReadAttributes, ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles, ReadPermissions"
The solution for this error is that your variables are expanded without being strings (no quotes around the string). So, any comas within the string variable are parsed as arguments.
Powershell can expand variables as strings with the
@
clause.Solution:
However, what you've done in your example...
... is a bit of recreating the wheel and can lead into problems, which you encountered. Also, you passed the arguments without any ADuser or SID, which gave you also those errors.
Reliable Solution
Applies also to this question: PowerShell ACL Not Applying
First, things like
are verbose and it is hard to tell what you get (strings, objects, enum...) As the enumeration of these properties are set yet in the EnumerationObjects of these, you can pass literally the strings as arguments:
I encountered also a wrong statement in the
$FileSystemAccessRights
array you've created:'ContainerInherit, ObjectInherit'
shouldn't be in there. This is not a valid enumeration string.See: FileSystemRights-Enumeration
That's why you've gotten this error:
Unable to match the identifier name
for$FileSystemAccessRights
variable.Second, the FileSystemAccessRule class needs 3 or 5 arguments passed.
See: FileSystemAccessRule-Class
Make sure you pass whether 3 or 5 arguments to it, no more, no less.
Third, set the ACL in a reliable way:
Note that I use the functions in other manner as OP posted and OP forgot to pass the
$secgroup
variable to the function. This is in my experience the most reliable way of setting ACL in powershell.You forgot
$FileSystemAccessRights
in the argumentsEdit, remove the double quotes.
You still have two issues:
First create a $principal object
Then try reducing that $FileSystemAccessRights because it has issues, try something simple to start with like Read/Write access.
Update the creation of the variable $permission to include the principal: