Strange access denial with quite extended rights
Hello Guys (and Gals), Here is the context : I'm writing a script to setup periodically the filesystem security on my business main user share. My goal is to be able to return to a prod state whatever "not-so-clever-things" our users have done with their ACLs (i have no choice but to have the users owners of their home folder, not negociable, so one day or another some "smart-bottom" WILL mess with the ACLs... ) The script is written in powershell v2.0 with PSCX installed and loaded. i have a local dummy test tree on wich i had set "the worst possible ACL case ever" (ie "O:SYG:SYD:(A;;FA;;;SY)") If i can manage to get from this to a prod state, no matter if the world falls apart, i'll be able to get back on track. anyway... the user launching the script is a Backup operator, the process privileges are set with : $priv = get-privilege $priv.enable("SeRestorePrivilege") $priv.enable("SeBackupPrivilege") $priv.enable("SeSecurityPrivilege") $priv.enable("SeTakeOwnershipPrivilege") set-privilege $priv (and checked really granted with another get-privilege) anyway : get-acl and set-acl still gives me "access denied", while i can walk throught all the tree (proof that the backup privilege is working)... the SeBackupPrivilege should give me permission to read the ACLs the SeRestorePrivilege should give me permission to write the ACLs the SeSecurityPrivilege and SeTakeOwnershipPrivilege should grant me to bypass any "access denied" but obviously it's not the case... Anyone already encountered the case or have an idea ? Have i missed something ? Thanks in advance for your ideas guys
August 5th, 2010 12:31pm

Try to perform a right click on the program you are using and then use the option run as an administrator . This should solve your problem.
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2010 12:36pm

Hummm this is a powershell script and i think you didn't even took the time to read the post... the user launching the script is a Backup operator, -> and... obviously a domain admin... $priv = get-privilege $priv.enable("SeRestorePrivilege") $priv.enable("SeBackupPrivilege") $priv.enable("SeSecurityPrivilege") $priv.enable("SeTakeOwnershipPrivilege") set-privilege $priv guess i have SOME admin rights...
August 5th, 2010 12:47pm

well guess you couldn't guess i lauched powershell via run on 2k8 -> "This task will be created with administrative privileges"
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2010 1:31pm

I recommand to you to post your problem here because I don't think you will find a response on this forum. The link to the forum where you should post is the following: http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads
August 5th, 2010 1:49pm

hummm i'm not quite sure it is PSh related, i think it's more about the privileges themselves... anyway i posted it there too...
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2010 3:40pm

it is PSh related , process explorer ensures me the process have the aforementionned privileges but get/set acl doesn't behaves the way it should.
August 9th, 2010 12:18pm

Like I told you. Try to see with helpers in the other forum. I think they will find a solution for your problem. Best regards.
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2010 2:31pm

Hi, I’m afraid PowerShell cannot do all the things here. We have to use other tools, such as takeown.exe to take ownership of the file or folder first. You can invoke this tool directly in Powershell. Run "takeown /?" to get more information and instruction. After that, get-acl and set-acl will work. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 11th, 2010 10:19am

Well , this is more a "get around" than a solution to me... Anyway , i posted this bug (yeah, this is a bug, get/setacl should work with the correct process privileges) to connect.microsoft... i don't really understand why the M$ programmers don't program PSh more 'in-line' with the Win OS "standards"... hummm maybe not just PSh in fact but since PSh is more geared towards admins than the average joe it should be a bit more... strict a least...
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 3:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics