GithubHelp home page GithubHelp logo

dsccommunity / cntfsaccesscontrol Goto Github PK

View Code? Open in Web Editor NEW
32.0 9.0 10.0 99 KB

The cNtfsAccessControl DSC resource module.

License: MIT License

PowerShell 100.00%
powershell powershell-dsc powershell-modules dsc-resources ntfs dsc

cntfsaccesscontrol's Introduction

Build status

cNtfsAccessControl

The cNtfsAccessControl module contains DSC resources for NTFS access control management.

You can also download this module from the PowerShell Gallery.

This project is no longer actively maintained.

Resources

cNtfsPermissionEntry

The cNtfsPermissionEntry DSC resource provides a mechanism to manage NTFS permissions.

  • Ensure: Indicates if the principal has explicitly assigned NTFS permissions on the target path. Set this property to Present (the default value) to ensure they exactly match what is provided through the AccessControlInformation property. If the AccessControlInformation property is not specified, the default permission entry is used as the reference permission entry. If this property is set to Absent and the AccessControlInformation property is not specified, all explicit permissions associated with the specified principal are removed.
  • Path: Indicates the path to the target item.
  • Principal: Indicates the identity of the principal. Valid formats are:
  • AccessControlInformation: Indicates the access control information in the form of an array of instances of the cNtfsAccessControlInformation CIM class. Its properties are as follows:
    • AccessControlType: Indicates whether to Allow or Deny access to the target item. The default value is Allow.
    • FileSystemRights: Indicates the access rights to be granted to the principal. Specify one or more values from the System.Security.AccessControl.FileSystemRights enumeration type. Multiple values can be specified by using an array of strings or a single comma-separated string. The default value is ReadAndExecute.
    • Inheritance: Indicates the inheritance type of the permission entry. This property is only applicable to directories. Valid values are:
      • None
      • ThisFolderOnly
      • ThisFolderSubfoldersAndFiles (the default value)
      • ThisFolderAndSubfolders
      • ThisFolderAndFiles
      • SubfoldersAndFilesOnly
      • SubfoldersOnly
      • FilesOnly
    • NoPropagateInherit: Indicates whether the permission entry is not propagated to child objects. This property is only applicable to directories. Set this property to $true to ensure inheritance is limited only to those sub-objects that are immediately subordinate to the target item. The default value is $false.

cNtfsPermissionsInheritance

The cNtfsPermissionsInheritance DSC resource provides a mechanism to manage NTFS permissions inheritance.

  • Path: Indicates the path to the target item.
  • Enabled: Indicates whether NTFS permissions inheritance is enabled. Set this property to $false to ensure it is disabled. The default value is $true.
  • PreserveInherited: Indicates whether to preserve inherited permissions. Set this property to $true to convert inherited permissions into explicit permissions. The default value is $false. Note: This property is only valid when the Enabled property is set to $false.

Versions

1.4.1 (February 6, 2019)

  • cNtfsAuditRuleInformation: Fixed an error when NoPropagateInherit is set to $true (#14).

1.4.0 (October 1, 2018)

  • Added new resources:
    • cNtfsAuditEntry
    • cNtfsAuditInheritance

Special thanks to Scott Matthews (@mrhockeymonkey)!

1.3.1 (January 16, 2018)

  • Bug fixes.

1.3.0 (May 04, 2016)

  • Changed the behavior of the cNtfsPermissionEntry DSC resource with the Ensure property set to Absent. Added an ability to remove specific permission entries.
  • General improvements.

1.2.0 (February 19, 2016)

  • The ItemType property of the cNtfsPermissionEntry DSC resource was deprecated.
  • The cNtfsPermissionsInheritance DSC resource was added.
  • Unit and integration tests were added.
  • Bug fixes and general improvements.

1.1.1 (October 15, 2015)

  • Minor update.

1.1.0 (September 30, 2015)

  • The PermissionEntry property was renamed to AccessControlInformation.

1.0.0 (September 29, 2015)

  • Initial release with the following DSC resources:
    • cNtfsPermissionEntry

Examples

Assign NTFS permissions

This example shows how to use the cNtfsPermissionEntry DSC resource to assign NTFS permissions.

Configuration Sample_cNtfsPermissionEntry
{
    param
    (
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [String]
        $Path = (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ([Guid]::NewGuid().Guid))
    )

    Import-DscResource -ModuleName cNtfsAccessControl
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    File TestDirectory
    {
        Ensure = 'Present'
        DestinationPath = $Path
        Type = 'Directory'
    }

    # Ensure that a single permission entry is assigned to the local 'Users' group.
    cNtfsPermissionEntry PermissionSet1
    {
        Ensure = 'Present'
        Path = $Path
        Principal = 'BUILTIN\Users'
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'ReadAndExecute'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]TestDirectory'
    }

    # Ensure that multiple permission entries are assigned to the local 'Administrators' group.
    cNtfsPermissionEntry PermissionSet2
    {
        Ensure = 'Present'
        Path = $Path
        Principal = 'BUILTIN\Administrators'
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderOnly'
                NoPropagateInherit = $false
            }
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'ReadAndExecute'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'AppendData', 'CreateFiles'
                Inheritance = 'SubfoldersAndFilesOnly'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]TestDirectory'
    }

    # Ensure that all explicit permissions associated with the 'Authenticated Users' group are removed.
    cNtfsPermissionEntry PermissionSet3
    {
        Ensure = 'Absent'
        Path = $Path
        Principal = 'NT AUTHORITY\Authenticated Users'
        DependsOn = '[File]TestDirectory'
    }
}

$OutputPath = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'Sample_cNtfsPermissionEntry'
Sample_cNtfsPermissionEntry -OutputPath $OutputPath
Start-DscConfiguration -Path $OutputPath -Force -Verbose -Wait

Disable NTFS permissions inheritance

This example shows how to use the cNtfsPermissionsInheritance DSC resource to disable NTFS permissions inheritance.

Configuration Sample_cNtfsPermissionsInheritance
{
    param
    (
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [String]
        $Path = (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath ([Guid]::NewGuid().Guid))
    )

    Import-DscResource -ModuleName cNtfsAccessControl
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    File TestDirectory
    {
        Ensure = 'Present'
        DestinationPath = $Path
        Type = 'Directory'
    }

    # Disable NTFS permissions inheritance.
    cNtfsPermissionsInheritance DisableInheritance
    {
        Path = $Path
        Enabled = $false
        PreserveInherited = $true
        DependsOn = '[File]TestDirectory'
    }
}

$OutputPath = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'Sample_cNtfsPermissionsInheritance'
Sample_cNtfsPermissionsInheritance -OutputPath $OutputPath
Start-DscConfiguration -Path $OutputPath -Force -Verbose -Wait

cntfsaccesscontrol's People

Contributors

dave-pollock avatar mrhockeymonkey avatar snikalaichyk avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

juancrl ryanspletzer baldator mrhockeymonkey futuristicpandab3ar shubhamgupta514 jaikarn marsipulami mkht torstenschnitter

cntfsaccesscontrol's Issues

NoPropagateInherit is not boolean but can be 0, 1 or 2

Setting ace to 'ReadAndExecute' with 'SubfoldersOnly' and 'NoPropagateInherit' = $true
does not end in the correct result.
ACE in 'PropagationFlags' should be 'NoPropagateInherit, InheritOnly' but is 'NoPropagateInherit' only witch is not the correct result.
(the problem may be in File 'cNtfsPermissionEntry.psm1' at starting line 739)

cNtfsPermissionEntry ('[{0}]:Users' -f $Path) {
Ensure = 'Present'
Path = $Path
Principal = ('BUILTIN\Users')
AccessControlInformation = @(
cNtfsAccessControlInformation {
AccessControlType = 'Allow'
FileSystemRights = 'ReadAndExecute', 'Synchronize'
Inheritance = 'SubFoldersOnly'
NoPropagateInherit = $true
}
)
}

should result in:
FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags
---------------- ----------------- ----------------- ----------- ---------------- ----------------
ReadAndExecute, Synchronize Allow BUILTIN\Users False ContainerInherit NoPropagateInherit, InheritOnly

but really results in:
FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags
---------------- ----------------- ----------------- ----------- ---------------- ----------------
ReadAndExecute, Synchronize Allow BUILTIN\Users False ContainerInherit NoPropagateInherit

Error about propagation flags

Hello,

Wondered if anyone could help. I am trying to configure a docker container, and using DSC to set up the website.

I have declared an ntfs permission like so:


        cNtfsPermissionEntry DotNetNuke_DirPermission
        {
            Ensure = "Present"
            Path = $websiteDir
            Principal = "IIS APPPOOL\DotNetNuke"
            AccessControlInformation = cNtfsAccessControlInformation
            {
                AccessControlType = "Allow"
                FileSystemRights = "Modify,ReadAndExecute,ListDirectory,Read,Write"
            }
            DependsOn = @("[File]DotNetNuke_WebsiteDir","[xWebAppPool]DotNetNuke_AppPool")
        }

When this runs I see this in the output:

[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > PropagationFlags : 'None'
Exception calling "AddAccessRule" with "1" argument(s): "This access control
list is not in canonical form and therefore cannot be modified."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : InvalidOperationException
+ PSComputerName : localhost

Here is the complete verbose output for this dsc resource

VERBOSE: [184090B5949F]: LCM: [ Start Resource ]
[[cNtfsPermissionEntry]DotNetNuke_DirPermission]
VERBOSE: [184090B5949F]: LCM: [ Start Test ]
[[cNtfsPermissionEntry]DotNetNuke_DirPermission]
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Ensure :
'Present'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Path :
'C:/inetpub/wwwroot/DotNetNuke'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Principal :
'IIS APPPOOL\DotNetNuke'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] AccessControlInformation :
'cNtfsAccessControlInformation'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Verbose :
'True'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Resolving identity reference
'IIS APPPOOL\DotNetNuke'.
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Current permission entry count
: 0
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Desired permission entry count
: 1
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] The number of current
permission entries is different from the number of desired permission entries.
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Permission entry was not found
(1 of 1) :
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > IdentityReference : 'IIS
APPPOOL\DotNetNuke'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > AccessControlType : 'Allow'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > FileSystemRights : 'Modify,
Synchronize'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > InheritanceFlags :
'ContainerInherit, ObjectInherit'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > PropagationFlags : 'None'
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] The target resource is not in
the desired state.
VERBOSE: [184090B5949F]: LCM: [ End Test ]
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] in 0.4380 seconds.
VERBOSE: [184090B5949F]: LCM: [ Start Set ]
[[cNtfsPermissionEntry]DotNetNuke_DirPermission]
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Resolving identity reference
'IIS APPPOOL\DotNetNuke'.
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Current permission entry count
: 0
VERBOSE: [184090B5949F]:
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] Adding permission entry (1 of

  1. :
    VERBOSE: [184090B5949F]:
    [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > IdentityReference : 'IIS
    APPPOOL\DotNetNuke'
    VERBOSE: [184090B5949F]:
    [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > AccessControlType : 'Allow'
    VERBOSE: [184090B5949F]:
    [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > FileSystemRights : 'Modify,
    Synchronize'
    VERBOSE: [184090B5949F]:
    [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > InheritanceFlags :
    'ContainerInherit, ObjectInherit'
    VERBOSE: [184090B5949F]:
    [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > PropagationFlags : 'None'
    Exception calling "AddAccessRule" with "1" argument(s): "This access control
    list is not in canonical form and therefore cannot be modified."
    + CategoryInfo : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : InvalidOperationException
    + PSComputerName : localhost

VERBOSE: [184090B5949F]: LCM: [ End Set ]
[[cNtfsPermissionEntry]DotNetNuke_DirPermission] in 0.3690 seconds.
The PowerShell DSC resource '[cNtfsPermissionEntry]DotNetNuke_DirPermission'
with SourceInfo 'C:\setup.ps1::42::9::cNtfsPermissionEntry' threw one or more
non-terminating errors while running the Set-TargetResource functionality.
These errors are logged to the ETW channel called
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost

PropagationFlags : 'None'
Exception calling "AddAccessRule" with "1" argument(s): "This access control
list is not in canonical form and therefore cannot be modified."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : InvalidOperationException
+ PSComputerName : localhost

I think I need to deal with propagation flags, but I am not sure why the default "None" is such an issue, or what the message about canonical form is about! If anyone can share some knowledge on this would be much appreciated!

Purging unmanaged ACL's

Hi I was wondering is there is a way in this module to achieve this:

I want to set ACL's on specific folders for end-users programatically. Sometimes users are added, sometimes users are removed. Adding users works perfectly, but whenever I run my dsc script, I want to purge the acl's that are not managed by DSC. Is there a way to do that?

I know I can set acls to absent, but I don't want to ensure 1000 users are absent when I only want to ensure 3 are present.

It currently works fine with AD groups (ensuring specific people are in a group, and the setting a single acl for that group. However, this requires users to log out and back in again, which is a real pain. I want to switch to ACL's for end-users directly.

Setting NTFS perms on new drive/directory fails the first time

Hi all,

OS: Windows Server 2016

I am trying to set perms on a directory that I create after formatting a new drive and always I get the following output which causes the DSC to fail. if I run it again it seems to complete ok and that is the end of the matter until the server is rebuilt:

ConfigurationName : MyDSC
DependsOn : {[File]Server Folder}
ModuleName : cNtfsAccessControl
ModuleVersion : 1.0.7.0
PsDscRunAsCredential :
ResourceId : [cNtfsPermissionEntry]SetServerNTFSPermissions
SourceInfo : ::205::5::cNtfsPermissionEntry
DurationInSeconds : 1.109
Error : {
"Exception": {
"Message": "The PowerShell DSC resource
\u0027[cNtfsPermissionEntry]SetServerNTFSPermissions\u0027 with SourceInfo
\u0027::205::5::cNtfsPermissionEntry\u0027 threw one or more non-terminating errors while
running the Test-TargetResource functionality. These errors are logged to the ETW channel
called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.",
"Data": {

                                                  },
                                         "InnerException":  null,
                                         "TargetSite":  null,
                                         "StackTrace":  null,
                                         "HelpLink":  null,
                                         "Source":  null,
                                         "HResult":  -2146233079
                                     },
                       "TargetObject":  null,
                       "CategoryInfo":  {
                                            "Category":  7,
                                            "Activity":  "",
                                            "Reason":  "InvalidOperationException",
                                            "TargetName":  "",
                                            "TargetType":  ""
                                        },
                       "FullyQualifiedErrorId":  "NonTerminatingErrorFromProvider",
                       "ErrorDetails":  null,
                       "InvocationInfo":  null,
                       "ScriptStackTrace":  null,
                       "PipelineIterationInfo":  [
                   
                                                 ]
                   }

FinalState :
InDesiredState : False
InitialState :
InstanceName : SetServerNTFSPermissions
RebootRequested : False
ResourceName : cNtfsPermissionEntry
StartDate : 6/29/2018 1:01:26 PM
PSComputerName :

Here is the relevant DSC:

[PSCredential]$serviceaccount = Get-AutomationPSCredential -Name $Node.ServiceAccountName

$installLocation = "E:\Server"

xDisk "FormatServerDrive" {
  DiskNumber = 2
  DriveLetter = 'E'
  FSLabel = 'Server'
}

File "Server Folder" {
  Ensure = "Present"
  DestinationPath = $installLocation
  Type = "Directory"
  DependsOn = "[xDisk]FormatServerDrive"
}

cNtfsPermissionEntry SetServerNTFSPermissions {
  Ensure = "Present"
  Path = $installLocation
  Principal = $serviceaccount.UserName
  AccessControlInformation = @(
    cNtfsAccessControlInformation {
      AccessControlType = "Allow"
      FileSystemRights = "FullControl"
      Inheritance = "ThisFolderSubfoldersAndFiles"
      NoPropagateInherit = $false
    }
  )
  DependsOn = "[File] Server Folder"
}

Any suggestions?
Thanks.
Andrew.

cNtfsAccessControl does not allow removal of unknown principals

@SNikalaichyk first off great module. I am looking to use it harden servers. Some of the policies I'm using require only specific principals to a be assigned to a file and if any principals that are not defined in the policy are found then this is a finding. Has then been any talk of adding functionality that only assigns prinicpals defined in the configuration to a file/folder? So if I write a configuration that says User1 has ReadWrite on C:\Folder it will give User1 the desired permissions and remove the principals not defined in the configuration.

Is it possible to clear other/all permissions?

Hi,

Is it possible to clear other/all permissions instead of choosing to remove individual principals? Is the functionality there to do the equivalent of 'Disable inheritance' -> 'Remove all inherited permissions from this object'?

I have certain folders that I want very specific NTFS permissions and this seems like the best way.

If this isn't something I'm overlooking, I'll try and dig in to the code.

Thanks!

Support for Audit rules (SACLs)

Just a query really. I use this resource at work and it works great. A new requirement I have is to now look after some auditing rules. My first thought was to use this resource but it seems it does not support it. I've also been looking for alternatives such as this and this but they either lack support for the file system or I've been having issues getting them working reliably.

Would there be any drive to include support for SACL's in this DSCResource or do you recommend any other modules? If it turns out I have to write my own resource I'd be more than happy to contribute it here but only if you think its worth pursuing.

Thanks

Invoke-DSCResource

How can I use the cNtfsPermissionEntry resource using Invoke-DSCResource? Can you give me any examples?

Schema mof update required

This may not be your module;

VERBOSE: [RemotePC]: 
[] Executing GetConfiguration failed. Configuration InstallOSquery is not pulled.
The PS module C:\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl\1.3.1\DscResources\cNtfsPermissionsInheritance is either missing or its associated MOF
schema C:\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl\1.3.1\DscResources\cNtfsPermissionsInheritance\cNtfsPermissionsInheritance.schema.mof is
missing or invalid.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : InvalidModuleOrSchema

I've not gotten into writing DSC resources yet but does the something need updating to be used with windows 10 1709?

I've checked the client PC is downloading the module but it's making an empty folder on the client of the correct name in the correct place. I just checked that it's nothing to do with executionpolicy.

can't find new drive

When running a dsc script that formats and brings a new drive online, cntfsaccesscontrol throws an exception that the drive is not exist. If you rerun the dsc script, it works.
xWaitforDisk Disk1
{
DiskNumber = 1
RetryIntervalSec =$RetryIntervalSec
RetryCount = $RetryCount
}

    xDisk DataDisk
    {
        DiskNumber = 1
        DriveLetter = "S"
    }

Cannot find drive. A drive with the name 'S' does not exist.
+ CategoryInfo : ObjectNotFound: (S:) [], CimException
+ FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.GetAclCommand
+ PSComputerName : localhost

  cNtfsPermissionEntry websitePermIUSR
{
    Ensure = 'Present'
    #Path = "$iisInstallPath\$IisFolderName\website"
    Path = 'S:\inetpub\wwwroot\prod\website'
    Principal = 'IUSR'
    AccessControlInformation = @(
        cNtfsAccessControlInformation
        {
            AccessControlType = 'Allow'
            FileSystemRights = 'Read'
            Inheritance = 'ThisFolderSubfoldersAndFiles'
            NoPropagateInherit = $false
        }
    )
    DependsOn = '[xRobocopy]website','[xWebAppPool]AppPool'
}

I have made sure the dependson is set to make sure not to run the acl until the drive is online, folders copied, etc.

Can't set perms for APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES

Sample config:

Configuration TestAppPackagePerms
{
    Import-DscResource -ModuleName "cNtfsAccessControl"
    Import-DscResource -ModuleName "PSDesiredStateConfiguration"
	File CreateTestFolder
	{
		Type = "Directory"
		DestinationPath = "C:\Program Files\Test"
		Ensure = "Present"
	}

	cNtfsPermissionsInheritance DisableInheritOnProgramFilesTest
	{
		Path = "C:\Program Files\Test"
		Enabled = $false
		PreserveInherited = $false
		DependsOn = "[File]CreateTestFolder"
	}

	cNtfsPermissionEntry SetPermsOnCTestForApplicationPackageAuthority
	{
		Ensure = "Present"
		Path = "C:\Program Files\Test"
		# For Principal, same results using the following:
		# "ALL APPLICATION PACKAGES"
		# "S-1-15-2-1"
		Principal = "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" 
		AccessControlInformation = @(
			cNtfsAccessControlInformation
			{
				AccessControlType = "Allow"
				FileSystemRights = "ReadAndExecute"
				Inheritance = "ThisFolderSubfoldersAndFiles"
			}
        )
        DependsOn = "[cNtfsPermissionsInheritance]DisableInheritOnProgramFilesTest"
	}
}

TestAppPackagePerms -Verbose
Start-DscConfiguration -Path .\TestAppPackagePerms -Wait -Verbose -Force

Result:

VERBOSE: [SERVER]: LCM:  [ Start  Resource ]  [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority]
VERBOSE: [SERVER]: LCM:  [ Start  Test     ]  [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority]
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Ensure                   : 'Present'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Path                     : 'C:\Program Files\Test'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Principal                : 'APPLICATION PACKAGE AU
THORITY\ALL APPLICATION PACKAGES'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] AccessControlInformation : 'cNtfsAccessControlInfo
rmation'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Verbose                  : 'True'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Resolving identity reference 'APPLICATION PACKAGE 
AUTHORITY\ALL APPLICATION PACKAGES'.
VERBOSE: [SERVER]: LCM:  [ End    Test     ]  [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority]  in 0.0780 seconds.
PowerShell DSC resource cNtfsPermissionEntry  failed to execute Test-TargetResource functionality with error message: The running command stopped because the preference 
variable "ErrorActionPreference" or common parameter is set to Stop: Could not resolve identity reference 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES': 
'Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."'. 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [SERVER]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.8 seconds
`

problem when NoPropagateInherit = $true

Hi,

I get the following message when applying the configuration with NoPropagateInherit = $true:

Cannot process argument transformation on parameter 'NoPropagateInherit'. Cannot convert value
"System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject]" to type "System.Boolean". Boolean
parameters accept only Boolean values and numbers, such as $True, $False, 1 or 0.
+ CategoryInfo : InvalidData: (:) [], CimException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,New-FileSystemAccessRule

I've fixed the issue... I'm going to send you a pull request in order to submit the fixed version.

Thank you,
Marco

Ver 1.4.1 cNtfsPermissionEntry is looking for cNtfsAccessControl,1.4.0

Output of DSC Error below.

The PowerShell DSC resource cNtfsPermissionEntry from module <cNtfsAccessControl,1.4.0> does not exist at the PowerShell module path nor is it registered as a WMI DSC resource.
+ CategoryInfo : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : DscResourceNotFound

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.