none
Set-acl does not work when executed remotely via PSEXEC RRS feed

  • Question

  • Hi Team,

    I am having the below script which is adding users to ACL with the specified permissions. This works fine when executed on ISE or console or locally in any form. The same script when executed via PSEXEC on a remote machine fails with the error -"the security identifier is not allowed to be the owner of this object". I have searched enough on the internet - they suggest me to change the Owner of the folder before adding ACL, Which <g class="gr_ gr_709 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="709" id="709">i</g> won't agree nor would like to do.

    My first question is - how does it work locally when remotely triggered with the same user fails? The user am using is a domain service account which is added into the local Administrator group.

     try {
            $acl = Get-Acl -Path $path 
        }
        catch {
            Log-Message -code "ERR[1-01-000-9999]" -Message "$ModuleName : Could not get the current access List for the path" -EnableLogging -ErrorPassed $error[0]
            return $false
        }
    
        Write-Verbose "$ModuleName Creating ACL Object for user '$username' with access '$access'"
        try {
            if ($Access -eq "Write") {
                $AllowRuleW = new-object System.Security.AccessControl.FileSystemAccessRule($Username, "Write", 'ContainerInherit,ObjectInherit', "NONE", "Allow")
                $acl.SetAccessRule($AllowRuleW)
                $AllowRuleM = new-object System.Security.AccessControl.FileSystemAccessRule($Username, "Modify", 'ContainerInherit,ObjectInherit', "NONE", "Allow")
                $acl.AddAccessRule($AllowRuleM)
                $AllowRuleRE = new-object System.Security.AccessControl.FileSystemAccessRule($Username, "ReadAndExecute", 'ContainerInherit,ObjectInherit', "NONE", "Allow")
                $acl.AddAccessRule($AllowRuleRE)
            }
            else {
                $AllowRule = new-object System.Security.AccessControl.FileSystemAccessRule($Username, $Access, 'ContainerInherit,ObjectInherit', "NONE", "Allow")
                $acl.SetAccessRule($AllowRule)
            }
            
        }
        catch {
            Log-Message -code "ERR[1-01-000-9999]" -Message "$ModuleName : Access to the Folder path $($path) could not be added "  -EnableLogging  -invocation $MyInvocation -ErrorPassed $error[0]
            return $false
        }
    
        Write-Verbose "Adding '$access' access to the user '$username' for the path '$path' $userName"
    
        try {
            Set-Acl -Path $path -AclObject $acl
            Log-Message -code "INF[1-01-000-0000]" -Message  "Successfully gave $access to the '$path' for user $username" -EnableLogging
            return $true
        }
        catch {
            Log-Message -code "ERR[1-01-000-9999]" -Message "$ModuleName : Access to the Folder path $($path) could not be added "  -EnableLogging  -invocation $MyInvocation -ErrorPassed $error[0]
            return $false
        }
        

    Thanks 

    Arun


    S.Arun Prasath

    • Moved by Bill_Stewart Wednesday, December 12, 2018 5:10 PM This is not "debug/fix/rewrite my script for me" forum
    Wednesday, August 15, 2018 8:11 AM

All replies

  • Correct.  Second hop restriction prevents this.


    \_(ツ)_/

    Wednesday, August 15, 2018 9:02 AM
  • Thanks for your response. I am not clear if you are considering PSEXEC execution as a hop? Am not doing any hops to remote system though within the script. PSEXEC executes the script as if ran locally(correct me if am wrong)

    The same script works if we make the owner of the folder as the user am using in PSEXEC, So does the second hop fades away when the same user is Owner of the folder? Not clear to me. Little more clarity would help me or a reference link please 

    S.Arun Prasath





    Wednesday, August 15, 2018 9:12 AM
  • So you have a permissions issue. 

    Why use PsExec locally? 


    \_(ツ)_/

    Wednesday, August 15, 2018 9:36 AM
  • I have a Machine X from where am targeting to machine Y using psexec. Also as i told earlier , the user is added to the local Administrator Group of system Y. Both X and Y are in the same domain.

    S.Arun Prasath

    Wednesday, August 15, 2018 10:59 AM
  • If you are remoting then second hop restriction is I  force.


    \_(ツ)_/

    Wednesday, August 15, 2018 11:29 AM
  • Thanks for your reply. I changed the line below 

     $acl = Get-Acl -Path $path 

    to 

    $acl = (Get-Item $path).GetAccessControl('Access')

    and it worked. no idea why ! it was highlighted here -> https://github.com/PowerShell/xSystemSecurity/issues/11


    S.Arun Prasath

    Wednesday, August 15, 2018 2:31 PM