Set inherited permissions on iLifeAssetManagement?

Similar Messages

• Set-Acl removing inherited permissions

  Hi,
  I am trying to set permissions on a remote share.  However, using Set-Acl removes the inherited permissions from the share.
  i.e. F:\SHARE inherits permissions from F:\
  Using Set-Acl in any way, removes the permissions inherited from F:\.
  i.e. (Get-Acl \\SERVER\SHARE) | Set-Acl \\SERVER\SHARE
  After running that command, the inherited permissions from F:\ will no longer be applied to F:\SHARE
  Ideas?
  Another thread suggested this was a UAC issue.  UAC is turned off on both the computer running Set-Acl, and the computer with the share.  UAC was turned off by changing the value of EnableLUA  from 1 to 0 in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system".

  This is because setting the ACL on the root of a share using the UNC path disables inheritance for that folder. It has nothing to do with UAC and is by design. Try doing it in explorer and you'll get a warning stating just that.
  EDIT: To set the permissions remotely in this particular case, you'll need to be an administrator on the remote machine. This allows you to connect via \\SERVER\F$, where you are then free to set permissions on the \\SERVER\F$\SHARE folder without disabling
  inheritance.
  Best Regards,
  Carl S
  All code is provided as-is with no guarantees. Always try it out in a test environment before applying it in a production environment.

• Issue in PowerShell with setting inheritance

  I have a script that I need some assistance in configuring permission inheritance on a collection of folders and subfolders
  Here's what I have so far:
  cls
  Set-Location "C:\Set-ACL"
  $log = "C:\Set-ACL\Folders.txt"
  #Gets the ACL's from a folder with correct permissions set
  $ACL = Get-Acl -Path "C:\Folder\subfolder\subfolder\subfolder"
  $Folders = Get-ChildItem -Path "E:\Folder\Subfolder\*\*" | Select-String -pattern "01-"
  $Folders >> $log
  Start-Process $log -Wait
  #Function to pause script while ignoring certain keys like Ctrl etc.
  'Function Pause4user($M = "Press any key to continue setting ACL's Ctrl + C to quit . . . ") { If ($psISE) { $S = New-Object -ComObject "WScript.Shell"; $B = $S.Popup("Click OK to continue.", 0, "Script Paused", 0); Return }; Write-Host -NoNewline $M; $I = 16, 17, 18, 20, 91, 92, 93, 144, 145, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183; While ($K.VirtualKeyCode -Eq $Null -Or $I -Contains $K.VirtualKeyCode) { $K = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") }; Write-Host }'
  Pause4user
  foreach ($Folder in $Folders)
  Set-ACL -Path $Folders -AclObject $ACL
  Write-Host "ACL's Set"
  Remove-Item $log
  The issue i'm finding is that the permissions I have defined in the variable $ACL are not passed to all subfolders and using -recurse after the Get-ChildItem looks like it would do the job but doesnt work because of the 260 character limit in the path.
  Is there a way to set the permissions on the folders returned in the $Folders variable and inherit these permissions to everything underneath it therefore not running into the path limit?
  P.S. Go easy on the script it was put together quickly!
  Thanks in advance

  Hi Jack,
  you can enforce childfolders accepting inheritance by getting their respective Acl, und using the
  SetAccessRuleProtection method on the target folders.
  If path length is escalating, you may want to consider doing one of these:
  Temporarily create junctions to shorten the path.
  Redesign your storage to be (or appear) more flat
  I think there are other tools out there that can handle the path issue, but I don't have one at hand I can recommend - I have never had to design paths that long.
  Cheers,
  Fred
  Ps.: Some shameless advertisement:
  This function will create junctions for you, if you need something for that. You can remove them afterwards like any other shortcut.
  There's no place like 127.0.0.1

• Zipped folders are created without inherited permissions

  When I create a zip folder, the zip folder does not inherit permissions are from its parent folder, nor from the files being archived. 
  (Fixing the permissions manually is not a problem -- only an inconvenience -- but this is repetitive.)  I confirmed that the text files, before archiving, have inherited full-control for Everyone from the parent folder. 
  Specific example:
  -- in a folder with inherited full-control for Everyone, I archive text files.
  -- I archive the files by selecting a group of them, right-clicking the selection, hovering over "Send to", and selecting "Compressed (zipped) folder".
  -- The zip folder is created within the same folder... 
  but the zip folder does not allow full-control to Everyone. 
  Why I care: 
  The parent folder is being backed-up using a bat file that executes ROBOCOPY. 
  The robocopy fails to backup the zip sub-folders. 
  I have to edit the permissions on each zip sub-folder after creating it, or set ROBOCOPY parameters to limit retries (in which case zip folders are not backed up). 
  Is there a simple fix, trick, or setting to make "Send to" / "Compressed (zipped) folder" automatically create the zip folder with inherited permissions? 
  (Note:  this problem mostly affects us on one of our "Server 2008 R2" systems, but I have recreated it in Windows 7.) 
  (Also: I posted this question first on answers.microsoft.com, but was told to post it here.) 
  Related question on technet (not yet resolved, as of 9/26/2012) --
  "Compressed (zipped) folder option always created locked zip file" 
  http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/b83cb991-b554-43a0-9baf-b05a711993ae 
  Doug Ivison

  I realise that this is post has been here for a long time but I happened to be researching something similar and think I have somewhat of a solution for you.
  Send to compressed (zipped) folder inherites permissions from the temp folder as this is the folder that windows uses to make the zip file.
  Try changing the permissions to %USERPROFILE%\AppData\Local\Temp

• Most efficient/quickest way to set NTFS permissions in PowerShell

  Hello all,
  Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
  This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

  Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
  ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
  However:
  1.  I can't figure out how to make the inheritance parameter work with ICACLS
  2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
  Any tips on how to improve performance of ICACLS?
  1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
  2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
  I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
  so long).
  For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
  dir $Path -Recurse | ForEach-Object {
  try {
  Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
  catch {
  Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
  return
  If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
  / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
  Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
  and averaged the results on a test system; this wasn't very rigorous testing):
  # Make sure that this folder and user/group exist:
  $Path = "D:\TestFolder"
  $Principal = "TestUser"
  # Native PowerShell/.NET -- Took about 15 ms
  $Acl = Get-Acl $Path
  $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
  $Principal,
  "Read", # [System.Security.AccessControl.FileSystemRights]
  "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
  "None", # [System.Security.AccessControl.PropagationFlags]
  "Allow" # [System.Security.AccessControl.AccessControlType]
  (Get-Item $Path).SetAccessControl($Acl)
  # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
  $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
  (Get-Item $Path).SetAccessControl($Acl)
  # icacls.exe -- Took about 40ms
  icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
  # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
  Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
  Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• Site template without inherited permissions

  Can I not create a site template with permissions inheritance off. When I break inheritance, create a template based on that site, then create a new site based on that template then inheritance is back on again......that's bad
  Seems like that would be a core need for site templates.

  Hi,
  According to your post, my understanding is that when you create a new site based on the template then inheritance is back on again.
  When you create a new site, if you seelect “Use same permissions as parent site”, it will inheritant permissions.
  I recommend to check “Use unique pernussions” to create your own permissions.
  Linda Li                
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Linda Li
  TechNet Community Support
  Is it possible to set those permissions within the template itself so the user doesnt have to set that up when creating an instance?

• Setting up permissions on the file server

  I am attempting to set up a file server with the OS X Server that came with my mac mini.
  I need to be able to set up permissions for 4 different users to be able to read and write, however with no permission to delete.
  I went to the MacMini section (on the left hand corner of the server app), then storage, and from there set up custom permissions
  I added the four users as a group.
  When I added the group to have access to the needed file, I clicked on the drop downs.
  I allowed all permissions for inheritance and reading. I selected all permissions for writting except for "delete" and "Delete subfolders and files"
  This give me a "-" sign next to write versus the check symbol (like it was shown for Read and Inheritance)
  After I set this up... I went to one of the users to test it out, it would not allow me to drop a file on the server or delete anything.
  How do I get this to work the way I want it!?!

  You can not do this with a single ACE.  Or at least I've never been able to.  This shoud resolve.
  Please make sure you test this however.  Remember that trying to overwrite is a delete and then a write.  So if you deny delete, then you can not replace a file or folder with one of the same name.  Also, renaming a file is also a delete.  You will not be able to rename.  Make sure you test this before putting into production to ensure you are getting the behavior you want.
  You have a share point named Archive.  You have a group called Archive_Users.  The Archive_Users are allowed to read and write but NOT delete data in the Archive.  Do do this, follow these steps:
  1:  Create a group called Archive_Users and place your users into the group.
  2:  Define your share point in File Sharing.
  3:  Edit to share point to add the group.  Press the + button and start typing the group name.  When it appears, set the permission to Read Write.  You permission window should have 4 entries at this point.  The everyone, the group (likely staff), and the owner (likely the server admin).  Then the one you added.  The bottom three are POSIX, the final one is an ACE.
  4:  Now, you need to get your hands dirty and create a custom ACE.  Server.app does not allow you to use the Deny rules so break out Terminal.
  5:  I will assume the Archive folder is in this path /Shares/Archive.  First get a list of the folder's ACL using:
  ls -le /Shares/Archive
  It should like like the following:
  drwxr-xr-x+ 2 carbon  wheel   68 Feb 18 22:27 Archive
  0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
  1: group:archive_users allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextat tr,writeextattr,readsecurity,file_inherit,directory_inherit
  6:  Now you must add your deny rule.  Use the following command:
  chmod +a# 2 "group:archive_users deny delete,file_inherit,directory_inherit" /Shares/Archive
  The syntax here is to add (+a) an ACE at index 2 (# 2), an ACE for the group archive_users that states the group can no delete any file or folder and this is inherited all the way down.
  7:  If you have content in the folder already, be sure to propagate the permissions.
  8:  Test, test, test.
  Remember, the deny rules can have some odd effects.  As mentioned, I can think of the renaming and the overwrite as possible deterrents.
  A possible alternative is to not give everyone read write access to the Archive. It might be more sane to define two groups.  The first groups, Archive_admins, is a subset of users who are entrusted with moving data to archived status.  The second group, Archive_users, is the rest of the team and they have read only access, allowing them to pull data but not edit the archive.  This allows you to use two simple ACEs in Server.app:  Archive_admin = read/write and Archive_users = read.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Inheriting permissions on a sub-subsite uses home as parent and not the subsite of home

  Hello,
  I want to execute my permissions strategy on a Sharepoint 2013 Foundation Server. Now I have a small problem with the inheritance of permissions.
  This the test site:
  Site Collection "Home" -> Subsite (unique permissions) "Projects" -> Subsite "Project A"(inheriting)
  Expected behaviour:
  "Project A" inherits the unique permissions from his actual parent site "Projects".
  Actual behaviour:
  "Project A" inherits from the root site "Home".
  This behaviour means that in our topology I can never use inheritance. Inheritance is desirable, because it reduces administrative effort. 
  How do I get what I want?
  Regards
  chn

  I have "fixed my error". I misunderstood the concept of page permissions and site permissions. I have set permissions only through page permissions, leaving site permissions untouched. Since all subsites inherit from the root site, the page permissions
  of a sub-subsite also inherits from root. 
  Now I properly set site permissions, allowing me to use the inheritance on page permissions. Everything works as I expect. On top I now fully understand the permissions, which I did not earlier, obviously.
  Greetings
  chn

• AGPM - Change Archive Owner - Domain Delegation inherited permissions

  Hi,
  I've just started to implement AGPM 4.0 SP1 on our domain and have got to the point of assigning roles.
  Unfotunately, it looks like I made a bad choice during the initial installation. I assigned the Archive Owner role to the wrong security group and would like to change this.
  It lists as an inherited permission in the Domain Delegation tab of the Change Control folder. However, I cannot find where the setting is inherited from and therefore I can't change it. I realise that I could remove the inherited permissions, but is this
  the only option available to me, or can I alter it somewhere and assign another group this role?
  Thanks,

  Hi,
  Link GPOs permission is assigned to members of Domain Administrators and Enterprise Administrators by default. To assign Link GPOs permission to additional users or groups (such as accounts that have the roles of AGPM Administrator or Approver), click the node
  for the domain and then click the Delegation tab, select Link GPOs, click Add, and select users or groups to which you want to assign the permission.
  For more information, please refer to the following article: 
  Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0
  http://technet.microsoft.com/en-us/library/ee378482.aspx
  Operations Guide for Microsoft Advanced Group Policy Management 4.0
  http://technet.microsoft.com/en-us/library/ee390965.aspx
  Regards,
  Yan Li
  Cataleya Li
  TechNet Community Support

• I have 2 sets of permissions, how do I delete one?

  I have five Macs, one G4 and 4 - G5's. G5s are running Snow Leopard 10.6.8.
  Five graphic designers, who back up their work on a Mac XServer 10.6.6
  Permissions on the designer's Macs are set to read/write for everyone.
  Designer A backs up his job to the XServer, then Designer B needs to edit it, so she attempts to pull it off the XServer.
  Permission denied for only some of the files, not all.
  I guess I need some guidance on the proper way to administer the ACL on the Xserve.
  I have set up an ACL group on the server. The strange thing is, there are 2 sets of permissions showing, one seems normal, but the other is labeled "Custom".
  Is there any way I can log in as something other than the Administrator, and "wipe out" the custom permissions?
  I usually do not mess around in the Terminal.
  Thank you for any insights...

  As Templeton Peck says, the proper way is to use the repartitioning facility, but this will result in loss of data.
  However, SubRosaSoft do make a utility, Volume Works ($10), that will do this resizing on the fly. A complete back up would be prudent in either case.

• IMac at work, iMac at home. (Latest Yosemite and Apple Remote Desktop updates installed) Need to work from home at night. I don't know how to set my permissions so that I can just control my iMac at work.

  iMac at work, iMac at home. (Latest Yosemite and Apple Remote Desktop updates installed) Need to work from home at night. I don't know how to set my permissions so that I can just control my iMac at work.

       If they have set up port forwarding for you already then that is different.  In that case, then you could be experiencing the bug with the most recent release of ARD (3.7.2) and in particular ARD 3.7.2 and Yosemite ARD version 3.8 clients.  It has been reported numerous times in the forums and to Apple that since 3.7.2, clients are frequently unavailable to connect to despite there being no network issue between the remote computer and client computer.  I have not seen anyone report it who was working from outside the LAN to inside the LAN, but I have the same issue with a number of my own computers that are simply on a different subnet, so it stands rot reason that it would happen from a port forwarding location.
       I am sometimes able to resolve the issue locally by SSH connecting into the client computer using Terminal on my admin machine and restarting or relaunching the ARD agent on the remote device, then trying to connect to it again after about 30 seconds.
  The Terminal commands for this procedure are as follows, though you might need to include a port number from outside the LAN:
  First:
  ssh ipaddress -l adminusername
  (example: ssh 192.168.1.1 -l macadmin)
  Second:
  sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -restart -agent
  After that, waiting about 30 seconds and trying to observe or control usually works, though the computer may still fail to show an online or lit-up status indicator.

• Users and inherited permissions

  hello all... quick question.
  Let's say there are 3 users and they all inherit some permissions from user PUBLIC. How can I REMOVE thos inherited permissions.
  db: 9.2
  sorry about my english, ask for more info if needed.
  thanks all in advance!

  so removing these (in this case, non-select privs) from the role, will remove them also
  from the user who inherits them?yes.
  Cheers, APC
  blog: http://radiofreetooting.blogspot.com

• How do we set the permissions for....

  Using Acrobat 9, Setting permissions is very confusing!
  How do we set the permissions for document so that:
  -- the end user needs no password
  -- Printing: Allowed
  -- Changing the Document: Not Allowed
  -- Doument Assembly: Not Allowed
  -- Content Copying: Not Allowed
  -- Content Copying for Accessability: Not Allowed
  -- Page Extraction: Not Allowed
  -- Commenting: Allowed
  -- Filling of Form Fields: Allowed
  -- Signing: Not Allowed
  -- Dreating of Template Pages: Not Allowed

  Not possible. If you allow filling in forms you must allow signing. BTW, while it is nice to be able to set permissions anything that depends upon passwords that you set is easily overcome by third party utilities. Don't do anything that really depends upon these permissions. If you want to set permissions using the Document Properties Dialog box (control D), then click on the Security button. In the Security Method Dialog box, select password security and fill it out as you need.

• When setting up permissions for application files--URGENT

  Hello All,
  when setting up permissions for application files,
  Is this following permisson appropriate?
  If application files are owned by a single owner,
  that owner should be the oracle user.
  DN

  Here is my question again.
  when setting up permission for application file, which permission is
  appropriate?
  a) If application files are owned by a sigle owner,that owner should be oracle
  user.
  b) Application files should be owned by oracle user
  c) Application files should be owned by single user.