Problem enabling inheritance (Network Steve Forum)

Problem enabling inheritance

Hi there!

I've been coding 8 hours for a little script for change the audit rules of a folder tree, and I doesn't understand yet how SetAuditRuleProtection works. This snippet is pretty simple:

$Acl = Get-Acl $Object.FullName -Audit
$Acl.SetAuditRuleProtection($false, $false)
$Acl | Set-Acl # Or $Acl | Set-Acl $Object.FullName, same behavior

This not enable the inheritance in the object $Object, why? What am I doing wrong? I am very frustrated with this :(

Even when I have the button "Disable inheritance" in the Auditing tab of the object (it means that inheritance is enabled, I think), the audit rules from parent doesn't appears until I modify this (create a rule, delete the rule [no changes at all], apply should work).

It's annoying :(

Sorry for my bad English

February 12th, 2015 1:30pm

$f=Get-Item C;\test
$acl=$f.GetAccessControl('Audit')
$acl.SetAccessRuleProtection($false,$false)
$f.SetAccessControl($acl)

Free Windows Admin Tool Kit Click here and download it now

February 12th, 2015 6:47pm

I'm pretty sure you're not doing anything wrong. It looks like there's a bug in the underlying .NET security classes when you have a null or empty SACL (audit ACE list). When the SACL is empty, trying to set the security descriptor doesn't appear to honor the inheritance setting.

To work around the issue, you can add a dummy ACE if the SACL is empty, change the inheritance setting, and then remove the dummy ACE if it was added. Something like this should work:

$path = "C:\path_to_object"

# Get ACL w/ SACL
$acl = Get-Acl $path -Audit

# If SACL is empty, add a rule to it...
$dummyAce = $null  # Need to know later if this was used
if ($acl.Audit.Count -eq 0) {
	$dummyAce = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","TakeOwnerShip","Success") # It doesn't matter what this is...
	$acl.AddAuditRule($dummyAce)
}
$acl.SetAuditRuleProtection($false, $false)
$acl | Set-Acl

# Cleanup if $dummyAce was used earlier
if ($dummyAce) {
	$acl = Get-Acl $path -Audit
	$acl.RemoveAuditRuleSpecific($dummyAce)
	$acl | Set-Acl
}

You can make that into a function that just takes a path if you'd like the part of your script that uses this to look cleaner.

Edited by Rohn Edwards Friday, February 13, 2015 2:13 AM
Marked as answer by Newbie Sysadmin Friday, February 13, 2015 8:03 AM

February 13th, 2015 5:02am

@jrv, thanks for reply, but doesn't works.

@Rohn, just yesterday late I modified the function that activate the inheritance, and works, but I do not know why. Your reply answers perfectly my doubts, a damn bug!

 $DummyRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Administrators", "Write, Read", "None", "None", "Success")
$Acl = Get-Acl $Object.FullName -Audit
$Acl.SetAuditRuleProtection($false, $false)
$Acl | Set-Acl
$Acl = Get-Acl $Object.FullName -Audit
$Acl.AddAuditRule($DummyRule)
$Acl.SetAuditRuleProtection($false, $false)
$Acl | Set-Acl
$Acl = Get-Acl $Object.FullName -Audit
$Acl.RemoveAuditRule($DummyRule) | Out-Null
$Acl.SetAuditRuleProtection($false, $false)
$Acl | Set-Acl

I've executed into 3 Set-Acl just for ensure :D,

thank you very much

Free Windows Admin Tool Kit Click here and download it now

February 13th, 2015 11:09am

This topic is archived. No further replies will be accepted.