Why do permissions change for multiple users when a new user is added or the folder is robocopied?
I'm noticing strange changes to ACL permissions on a folder whenever a new user is given permissions to the folder or the folder is robocopied to a new folder under th same parent folder.
Here's the background:
While developing a PowerShell script to copy folder permissions to another group, I found some strange ACL values coming from the Get-Acl commandlet. Ex: ( -1610612736 and -536805376 ) When I attempt to write these values back to the object using Set-Acl I
get an error about them being invalid values.
http://social.technet.microsoft.com/Forums/en/winserverpowershell/thread/8ac2d78c-6e7a-455f-a94b-c4da1874b1d7
In my attempt to figure out what was happening, I found that by simply adding ANY user or group with ANY permission, those strange permissions went away. In addition, if I robocopied the folder to a new folder under the same parent folder, the permissions would
go away as well.
Check out the example below. Get-Acl changes from 9 entries on the source folder to 5 entries on the destination folder and all of the strange values go away.
Can anyone explain exactly what is going on here?
robocopy "D:\Folder\Folder1" "D:\Folder\Folder2" /CREATE /S /SEC /R:1 /W:10
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________
PS U:\> $test5 = Get-Acl "D:\Folder\Folder1"
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________
PS U:\> $test5.access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP1
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
FileSystemRights : -1610612736
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP1
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP2
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP2
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP2
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
FileSystemRights : ReadData, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\GROUP3
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\GROUP3
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________
PS U:\> $test6 = Get-Acl "D:\Folder\Folder2"
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________
PS U:\> $test6.access
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\GROUP3
IsInherited : True
InheritanceFlags : ContainerInherit
PropagationFlags : None
FileSystemRights : ReadData, Synchronize
AccessControlType : Allow
IdentityReference : DOMAIN\GROUP3
IsInherited : True
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP2
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : COMPUTER\GROUP1
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
_______________________________________________________________________________________________________________________________________________________________________________________________________________________________
April 6th, 2011 12:36pm