From 20d265165cc0ad0c80e7749b5df9be43d4139695 Mon Sep 17 00:00:00 2001 From: Richard Carpenter Date: Tue, 10 Jul 2018 16:21:01 +0100 Subject: [PATCH 1/3] Changed folder inheritance to use an explicit setting. Enabling this will not preserve existing rules. Removed automatic change of folder inheritance. Fixed a problem when the folder owner was not System or a built-in group that causes the error "The security identifier is not allowed to be the owner of this object". Fixed a bug that caused the Test to report empty values for absent rules to remove and rules to be removed. Fixed a bug in Update-FileSystemRightsMapping that would add an additional phantom ACE when an inherited ACE had a permissions that used the generic permissions. In Compare-NtfsRule filtered the list of rules to be removed to only include non-inherited ACE rules to stop --- .../NTFSAccessEntry/NTFSAccessEntry.psm1 | 94 +++++++++++------- .../NTFSAccessEntry.schema.mof | Bin 2486 -> 5056 bytes 2 files changed, 60 insertions(+), 34 deletions(-) diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 index 5e48123..5353ec5 100644 --- a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 +++ b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 @@ -28,6 +28,10 @@ Function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $AccessControlList, + [Parameter()] + [bool] + $DisableInheritance = $false, + [Parameter()] [bool] $Force = $false @@ -94,6 +98,7 @@ Function Get-TargetResource Force = $Force Path = $inputPath AccessControlList = $CimAccessControlList + DisableInheritance = $currentACL.AreAccessRulesProtected } return $ReturnValue @@ -112,6 +117,10 @@ Function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $AccessControlList, + [Parameter()] + [bool] + $DisableInheritance = $false, + [Parameter()] [bool] $Force = $false @@ -123,9 +132,27 @@ Function Set-TargetResource if(Test-Path -Path $inputPath) { - $currentAcl = Get-Acl -Path $inputPath + $DirectoryInfo = Get-Item -Path $inputPath + + $currentAcl = $DirectoryInfo.GetAccessControl() + if($null -ne $currentAcl) { + if ($currentAcl.AreAccessRulesProtected -ne $DisableInheritance) + { + if ($currentAcl.AreAccessRulesProtected) + { + Write-Verbose -Message 'Enabling inheritance' + } + else + { + Write-Verbose -Message 'Disabling inheritance' + } + + $preserveInheritance = $false + $currentAcl.SetAccessRuleProtection($DisableInheritance, $preserveInheritance) + } + if($Force) { foreach($AccessControlItem in $AccessControlList) @@ -168,17 +195,6 @@ Function Set-TargetResource } } - $isInherited = 0 - $isInherited += $AbsentToBeRemoved.Rule.Where({$_.IsInherited -eq $true}).Count - $isInherited += $ToBeRemoved.Rule.Where({$_.IsInherited -eq $true}).Count - - if($isInherited -gt 0) - { - $currentAcl.SetAccessRuleProtection($true,$true) - Set-Acl -Path $inputPath -AclObject $currentAcl - } - - foreach($Rule in $ToBeRemoved.Rule) { try @@ -226,23 +242,22 @@ Function Set-TargetResource $currentAcl.RemoveAccessRule($Rule) } - foreach($Rule in $Expected) + foreach($NonMatchRule in $Expected.Where{$_.Match -eq $false}.Rule) { - $NonMatch = $Rule.Rule - ("Adding access rule:"), - ("> Principal : '{0}'" -f $NonMatch.IdentityReference), - ("> Path : '{0}'" -f $inputPath), - ("> IdentityReference : '{0}'" -f $NonMatch.IdentityReference), - ("> AccessControlType : '{0}'" -f $NonMatch.AccessControlType), - ("> FileSystemRights : '{0}'" -f $NonMatch.FileSystemRights), - ("> InheritanceFlags : '{0}'" -f $NonMatch.InheritanceFlags), - ("> PropagationFlags : '{0}'" -f $NonMatch.PropagationFlags) | - Write-Verbose + ("Adding access rule:"), + ("> Principal : '{0}'" -f $NonMatchRule.IdentityReference), + ("> Path : '{0}'" -f $inputPath), + ("> IdentityReference : '{0}'" -f $NonMatchRule.IdentityReference), + ("> AccessControlType : '{0}'" -f $NonMatchRule.AccessControlType), + ("> FileSystemRights : '{0}'" -f $NonMatchRule.FileSystemRights), + ("> InheritanceFlags : '{0}'" -f $NonMatchRule.InheritanceFlags), + ("> PropagationFlags : '{0}'" -f $NonMatchRule.PropagationFlags) | + Write-Verbose - $currentAcl.AddAccessRule($Rule.Rule) + $currentAcl.AddAccessRule($NonMatchRule) } - Set-Acl -Path $inputPath -AclObject $currentAcl + $DirectoryInfo.SetAccessControl($currentAcl) } else { @@ -271,6 +286,10 @@ Function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $AccessControlList, + [Parameter()] + [bool] + $DisableInheritance = $false, + [Parameter()] [bool] $Force = $false @@ -284,7 +303,7 @@ Function Test-TargetResource if(Test-Path -Path $inputPath) { $currentACL = Get-Acl -Path $inputPath - $mappedACL = Update-FileSystemRightsMapping($currentAcl) + $mappedACL = Update-FileSystemRightsMapping($currentAcl) if($null -ne $currentACL) { @@ -292,8 +311,8 @@ Function Test-TargetResource { foreach($AccessControlItem in $AccessControlList) { - $Principal = $AccessControlItem.Principal - $Identity = Resolve-Identity -Identity $Principal + $Principal = $AccessControlItem.Principal + $Identity = Resolve-Identity -Identity $Principal $IdentityRef = New-Object System.Security.Principal.NTAccount($Identity.Name) $ACLRules += ConvertTo-FileSystemAccessRule -AccessControlList $AccessControlItem -IdentityRef $IdentityRef @@ -353,7 +372,7 @@ Function Test-TargetResource if($AbsentToBeRemoved.Count -gt 0) { - foreach ($rule in $AbsentToBeRemoved) + foreach ($rule in $AbsentToBeRemoved.Rule) { ("Found [absent] permission rule:"), ("> Principal : '{0}'" -f $Rule.IdentityReference), @@ -371,7 +390,7 @@ Function Test-TargetResource if($ToBeRemoved.Count -gt 0) { - foreach ($Rule in $ToBeRemoved) + foreach ($Rule in $ToBeRemoved.Rule) { ("Non-matching permission entry found:"), ("> Principal : '{0}'" -f $Rule.IdentityReference), @@ -386,6 +405,12 @@ Function Test-TargetResource $InDesiredState = $False } + + if ($currentACL.AreAccessRulesProtected -ne $DisableInheritance) + { + Write-Verbose -Message ('Inheritance is {0} and should be {1}.' -f (-not $currentACL.AreAccessRulesProtected), (-not $DisableInheritance)) + $InDesiredState = $False + } } else { @@ -400,7 +425,7 @@ Function Test-TargetResource Write-Verbose -Message $Message $InDesiredState = $False } - + return $InDesiredState } @@ -557,7 +582,8 @@ Function Compare-NtfsRule $AbsentToBeRemoved = @() $PresentRules = $Expected.Where({$_.Ensure -eq 'Present'}).Rules - $AbsentRules = $Expected.Where({$_.Ensure -eq 'Absent'}).Rules + $AbsentRules = $Expected.Where({$_.Ensure -eq 'Absent'}).Rules + foreach($refrenceObject in $PresentRules) { $match = $Actual.Where({ @@ -600,7 +626,7 @@ Function Compare-NtfsRule } } - foreach($refrenceObject in $Actual) + foreach($refrenceObject in $Actual.Where{$_.IsInherited -eq $false}) { $match = @($Expected.Rules).Where({ (((($_.FileSystemRights.value__ -band $refrenceObject.FileSystemRights.value__) -match "$($_.FileSystemRights.value__)|$($refrenceObject.FileSystemRights.value__)") -and !$Force) -or ($_.FileSystemRights -eq $refrenceObject.FileSystemRights -and $Force)) -and @@ -633,7 +659,7 @@ Function Update-FileSystemRightsMapping $ACE ) - foreach($Rule in $ACE.Access) + foreach($Rule in $ACE.Access.Where{$_.IsInherited -eq $false}) { $rightsBand = [int]0xf0000000 -band $Rule.FileSystemRights.value__ if( ($rightsBand -gt 0) -or ($rightsBand -lt 0) ) diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof b/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof index deae0f5b7f2b6ce191960f4ec3a6d6880b66f8d9..f688392987c00aaef6eddf4722da3bef6defdceb 100644 GIT binary patch literal 5056 zcmeHLTW=CU6h6-;{)Y)qni$hp?Gv_;5bY&})Q6@qWhpI@!pd&d+Vroh-*<+?uvfs= zCdP&UJ2U5;Irq!{`gtNdGL|z*@Hv)qnc;sVQ<=yMX~>qmmN)qFe+%oEaw^Z|nM4a5 zC;QTqwsfV5-3Sy&X-6rfpf&|$3)J|0qqw*F>%@Ofpm#8axjGhnB<)!}@M&lIN)zuX@HY632J7I-yykI&T^pf8l7 z!%e*93i4BW@^-A0ud%y_r&w-r(p=ot08B&q=S>Z{%i$y|;ZJc#7q?RO3HWd|n(g6^ z7@TYa%717bdwvMrnpUzJBX1YbcM4mZ{`%m#5lSoOF{ud&KU zo9_aiw(%O?!R@?7aAN&SeYNUo24Y1Vg6>#zAo~vHuJIx#S3xCON0u>3i9EB84k5vE zO{$_|@MY92b23jBxirlDO}@UZ<|{8}IbK#5<{jiFoRnwEDv1LgD_#{;nLhqk?G~ey zU3D=|)``oqZuk)K#?H#e4ZY66GEMXnVUIQrxV|f153k653*6Jbyw&r3H~(ih{1_9C z)h*tapKn5+u=!+@s#Q3J_}PV%5OY^CZ!yC$yJh?8qOPdpEM(rwfnQ?3LtHYKv5%Z! z-NtIBS#%Rhe=d1;?uax?u%jeT%bA%vB7dea<|}4$)0F3)lO6lQph04>F7ez?uZCfi zs^?m>x-e$+4iBoE3B(z2|TR-4k6$;d5b#_py7^uf=BXg#ktNl39QVxr{&6G?>+W! zH2-jhO8`f{SHDp(+jB=D2q8yB_C;=n(p`J!}zR^68gBs13B>%^52V? r)!zJ=kz;pl8aIX)q9(josn3y|&l7k^U-Ks8eRXZErx>zsw!Zxay~t>x literal 2486 zcmeHJOK%!65WXYvA4YphB!qHpbD}&X)RG`T=>eh2><+Be#opT9Cfg|gy)$NCkWJe3 zQ1wtGz@8b;e4eM*!$eqnhsH{+E`qE6yZ%-GD!ANqJ0Wx6W;Iz3!Vs+;YUPYh#`K$a zJCEHC&}Y5CZ<#b0^!i$LL}-;53LN(f6PYM5uBQUMtgy4^Egp zI*<+z{ot|(cOuDfCep`Xz^8&~s=QAJHn|Om32FwmmW}2o=GusHCO{(`&J_^UXt4Z_jjb%phrgqHnje ze)GWLW>(J|-xFROHr&1?O&2F!UgcJ!S68U!C9%A+*SmoaS|=zJOtcBHUFcQg#q0== zv+|hCAeB$@oi+ysMe2ny!UL4b`f9Kx+LQ6cSBK$r27VU%q8J~x7*Qvl76&ha_6bcR zymcb_@$IYj^?3APLgPtANq!>^*tFs`w7w8L2j0W&Z2IMcu(&|0GxB2{y^ol`>b_LC zxSX-4FM{eea}p_o_RGgdW1N>Ek&5FW_?hyiz&vyFp9P0cy%Zbf)eW^RBa1Tn2`sQ! A@c;k- From 056b23337de17727dcaaff4eb962a438249dcc54 Mon Sep 17 00:00:00 2001 From: Richard Carpenter Date: Wed, 11 Jul 2018 15:24:40 +0100 Subject: [PATCH 2/3] Updated the existing tests to use the new parameter DisableInheritance. All the tests are created with DisableInheritance set so some additional test should be created to test this functionality. Fixed a bug in Set-TargetResource caused by $Expected not being initialised. Fixed a bug where removing rules was causing changes to the remaining rules for that Identity. Switched from using RemoveAccessRule to RemoveAccessRuleSpecific. --- .../NTFSAccessEntry/NTFSAccessEntry.psm1 | 8 +- Tests/Unit/NTFSAccessEntry.Tests.ps1 | 107 +++++++++++------- 2 files changed, 70 insertions(+), 45 deletions(-) diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 index 5353ec5..8f25740 100644 --- a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 +++ b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 @@ -136,6 +136,8 @@ Function Set-TargetResource $currentAcl = $DirectoryInfo.GetAccessControl() + $Expected = @() + if($null -ne $currentAcl) { if ($currentAcl.AreAccessRulesProtected -ne $DisableInheritance) @@ -208,7 +210,7 @@ Function Set-TargetResource ("> InheritanceFlags : '{0}'" -f $Rule.InheritanceFlags), ("> PropagationFlags : '{0}'" -f $Rule.PropagationFlags) | Write-Verbose - $currentAcl.RemoveAccessRule($Rule) + $currentAcl.RemoveAccessRuleSpecific($Rule) } catch { @@ -239,7 +241,7 @@ Function Set-TargetResource ("> PropagationFlags : '{0}'" -f $Rule.PropagationFlags) | Write-Verbose - $currentAcl.RemoveAccessRule($Rule) + $currentAcl.RemoveAccessRuleSpecific($Rule) } foreach($NonMatchRule in $Expected.Where{$_.Match -eq $false}.Rule) @@ -305,6 +307,8 @@ Function Test-TargetResource $currentACL = Get-Acl -Path $inputPath $mappedACL = Update-FileSystemRightsMapping($currentAcl) + $Expected = @() + if($null -ne $currentACL) { if($Force) diff --git a/Tests/Unit/NTFSAccessEntry.Tests.ps1 b/Tests/Unit/NTFSAccessEntry.Tests.ps1 index a6b04a5..5f047eb 100644 --- a/Tests/Unit/NTFSAccessEntry.Tests.ps1 +++ b/Tests/Unit/NTFSAccessEntry.Tests.ps1 @@ -106,11 +106,12 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights ChangePermissions -Inheritance 'This Folder and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } - Set-NewTempItemAcl -ItemType Directory -Path $ContextParams.Path + Set-NewTempItemAcl -ItemType Directory -Path $ContextParams.Path It 'Should return True' { Test-TargetResource @ContextParams | Should Be $true @@ -121,8 +122,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Deny -FileSystemRights ChangePermissions -Inheritance 'This Folder and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -164,8 +166,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights Modify -Inheritance 'This Folder Only' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -207,8 +210,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -269,8 +273,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Prese $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights ReadAndExecute -Inheritance 'This Folder Subfolders and Files' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -312,8 +317,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Prese $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights @("CreateFiles", "AppendData") -Inheritance 'Subfolders and Files Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -337,8 +343,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Prese $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -384,8 +391,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -429,8 +437,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights ReadAndExecute -Inheritance 'This Folder Subfolders and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -490,8 +499,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights DeleteSubdirectoriesAndFiles -Inheritance 'This Folder Subfolders and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -550,8 +560,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights ReadAndExecute -Inheritance 'This Folder Subfolders and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -610,8 +621,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights Modify -Inheritance 'This Folder Only' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -662,8 +674,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -737,8 +750,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -796,8 +810,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -854,8 +869,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -904,8 +920,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1091,8 +1108,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -FileSystemRights FullControl -Inheritance 'This Folder and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1146,8 +1164,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $true -AccessControlType Allow -FileSystemRights "ReadAndExecute" -Inheritance "This folder subfolders and files" -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1201,8 +1220,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -FileSystemRights "ReadAndExecute" -Inheritance "This folder subfolders and files" -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1247,8 +1267,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -FileSystemRights "Modify" -Inheritance "This Folder Only" -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( From cd450bf885898818ca879dc1067b400a2932a294 Mon Sep 17 00:00:00 2001 From: Richard Carpenter Date: Fri, 13 Jul 2018 11:29:03 +0100 Subject: [PATCH 3/3] Set NTFSAccessEntry.schema.mof encoding to ASCII --- .../NTFSAccessEntry.schema.mof | Bin 5056 -> 2502 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof b/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof index f688392987c00aaef6eddf4722da3bef6defdceb..04a0afba0401d5163babdc22d42bb56bd0c863eb 100644 GIT binary patch literal 2502 zcmeHJOK%!65We#(Mte#mgmP^;5grn1Nf4m)fKX+22iB^wx3;&*Hp+kRjM-h5N1~>O zs)ur5?V0h+=XrYBSHigmv`!j*72R|`bZ$B~(eqOUWcn~VbiO8O#9-oTZ(SQy`FD1vF(pNC|R_ZMrL0uFXb{Xeyf@LHnE-SaGcMNZh zu(d*aOe(M$S&C&Q)G5>~L!AtS7lgN;3cbZC+MRUlTE{et3s*DcpK1=5-8wKqrCXpLn%upodhg6j+DuO5f ztw|+gV!`qnyc|Axx)&zBQ<>x2%?ll;)@b>YF)hS5ynob`SEp~`;eW&7b#ZaJ%?n3GIt%5oTy@`3SyEFYkY4DR>YXYR%qG-+R@Vq1 z_m-2YTBOp!#;An4h|!7@xk+;Qde3wqbOM{QkeVV)KZu>2Zyus@JJVI!Z174Hp%(Y- zMou;j|FdxGh>j02ISb{X2Tv_J3Qg38sJ9NQmv-P%AHKk=wGXw+Ep}Tk-BxS)-Z{f< ztQs?+7rZ)SxNS=sDqi}cPO3(auJKGOVtLn~b_KV_C=?n-#>RM2=1tS(#EAFfai7B= zb;#|Fu{(xD+J&_uz?0gAB5)PfqnX9mhW>a0Vf=<#81B}XQ2!m52d|>bLz#y5#W5Hr zHrMJ~acIMcCX!B6aVK`zG!c$pdJqH#e1!YS`0K53I74T0a$yyx8nyJSR zfchR&5;;rESDqS;>0QM_Y7T(lN6EV)a^~MZiwd85Ehx;Z`{zj_4x|%nh3Cb2A{P=i Gg!LC~;$>d| literal 5056 zcmeHLTW=CU6h6-;{)Y)qni$hp?Gv_;5bY&})Q6@qWhpI@!pd&d+Vroh-*<+?uvfs= zCdP&UJ2U5;Irq!{`gtNdGL|z*@Hv)qnc;sVQ<=yMX~>qmmN)qFe+%oEaw^Z|nM4a5 zC;QTqwsfV5-3Sy&X-6rfpf&|$3)J|0qqw*F>%@Ofpm#8axjGhnB<)!}@M&lIN)zuX@HY632J7I-yykI&T^pf8l7 z!%e*93i4BW@^-A0ud%y_r&w-r(p=ot08B&q=S>Z{%i$y|;ZJc#7q?RO3HWd|n(g6^ z7@TYa%717bdwvMrnpUzJBX1YbcM4mZ{`%m#5lSoOF{ud&KU zo9_aiw(%O?!R@?7aAN&SeYNUo24Y1Vg6>#zAo~vHuJIx#S3xCON0u>3i9EB84k5vE zO{$_|@MY92b23jBxirlDO}@UZ<|{8}IbK#5<{jiFoRnwEDv1LgD_#{;nLhqk?G~ey zU3D=|)``oqZuk)K#?H#e4ZY66GEMXnVUIQrxV|f153k653*6Jbyw&r3H~(ih{1_9C z)h*tapKn5+u=!+@s#Q3J_}PV%5OY^CZ!yC$yJh?8qOPdpEM(rwfnQ?3LtHYKv5%Z! z-NtIBS#%Rhe=d1;?uax?u%jeT%bA%vB7dea<|}4$)0F3)lO6lQph04>F7ez?uZCfi zs^?m>x-e$+4iBoE3B(z2|TR-4k6$;d5b#_py7^uf=BXg#ktNl39QVxr{&6G?>+W! zH2-jhO8`f{SHDp(+jB=D2q8yB_C;=n(p`J!}zR^68gBs13B>%^52V? r)!zJ=kz;pl8aIX)q9(josn3y|&l7k^U-Ks8eRXZErx>zsw!Zxay~t>x