Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.

Avoid setting up a domain trust for a single users needs

I found a question on the Microsoft Technet Forums, how can I allow a users to use a ERP software in another domain without using his credentials.

So this solution does not really give a solution that allows the local user account any rights, but stores the remote domain username/password for the user so the user doesn’t get bugged for those all the time.

Using CMDKEY to add username-password for alternative domain


Cleaning out NetBIOS Hostnames from your DFSs

So you have been using DFS for a while and is happy. But you still get some complaints. Smaller companies usually hear that employees have problems accessing the DFS from home on their own computers. In larger companies it is usually not allowed to use private computers anyway. But there we have the problem with partner or purchased companies having problems with the DFS. So what is up?

The common problem is that you still are using hostnames instead of FQDN. So what does that matter really? It works great on my workstation. Most commonly companies automatically tries with the domain that the computer is joined into. This works great for the employees computers but not others. So what is happening then? Suppose we have a company called Contoso with a domain called contoso.local (I know its bad to have a .local domain name). You request the DFS called \\contoso.local\dfs, you will then contact the domain controllers in contoso.local domain and get which file servers are working as the root servers. If the response only contains netbios names the clients will try to attach the domain suffix from DNS (Unless configured differently using GPOs).

So I was at a customers doing a brief DFS analysis. So these are the scripts I ran to check the domainbased DFS. So these are some screenshots from a non-production environment:




[Read more…]

Cleaning downloaded filenames of invalid characters

A friend is doing a project where he is downloading files from the internet using powershell. Well files in a Unix system can have lots of characters you cant use in a Window systems. So what kind of characters could that be? Backslashes \, slashes / and many more, in all a lot of characters. So lets try to do a list of all invalid characters, well I think we will miss some. Lets get Windows to tell us.


Powershell .NET function call to list invalid filename characters

Powershell .NET function call to list invalid filename characters

[Read more…]

Upgrading DFS 2000 to DFS 2008 mode

So you have just been asked to enable ABE on the DFS. But you cant enable it because your namespace is in 2000 mode. So how do we upgrade it? The boring answer is that you don’t, Microsoft doesn’t have an upgrade. But it is quite simple anyway.

Backup your current DFS-Namespace

First lets make sure that we have a copy of your current namespace. This is so we don’t have to rebuild it by hand. This a simple XML file that is the entire configuration both root servers and all links. Just replace the \\<domain.fqdn>\<Namespace> with your DFS namespace information, the file doesn’t really matter. When it is complete just look into the file and see what you got.

Remove the old namespace

This part is quite simple usually, just start with one DFS namespace server and remove them one after another. If you get stuck because the server is no longer alive, don’t worry. Just remove it by force. Once all you delete the last namespace server, the namespace is no more.

Setting up the new environment

Well this is a good time to think about doing it right. For instance were you using FQDN for your namespace servers? I say enable fqdn and lets go.

Now just create a new namespace with the same name as before. Since we are talking about a Namespace which is a bunch of NTFS junctions points I see no point moving the DFS share from the default of %Systemroot%\DFSRoots\NamespaceName. Just remember that everyone should have only Read Only access.

Then add the other namespace servers one after another.

Restore the namespace

So where are my hundreds of links, I cant remember them all. Well importing is as easy as the export we did earlier.. You didn’t skip that step right?

Now for the boring part. You should really test it to make sure it works. Remember that domain based DFS is carried in the AD with all replication delays that could incur..


This entry has been on my waiting list for a long time, but since it was a good match for my solution for a question on social I completed it.

Incorrectly ordered NTFS ACEs?

I got a question today about a strange permissions problem one of their users was having. Even more strange when the checked the permissions on the folder they got the following:

The permissions on Sub_Directory are incorrectly ordered, which may cause some entries to be ineffective.

Well what is this? Microsoft has a few articles about things like this.

But since this was a users homedirectory we decided just to reset all the permissions on the users folder. [Read more…]

Playing with NTFS permissions

So if you need to see what the different parts mean look at my earlier post about icacls rights.

What is needed for

Allow users to create folders but not see all if Access Based Enumeration is enabled. Good for home folders.

Remove all rights for the SID for Authenticated users below and on all files / Folders below.

Grant the Creator fullcontrol of new folders

Icacls rights

These are the simple rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
N No Access None
F Full access Full Control
M Modify access Modify/ Read & Execute/ List folder contents/ Read
RX Read and execute access Read & Execute/ List folder contents/ Read
R Read-only access Read
W Write-only access Write
D Delete access Hidden under Special permissions

These are the specific rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
DE Delete Delete
RC Read control Read permissions
WDAC Write DAC Change permissions
WO Write owner Take ownership
S Synchronize ?
AS Access system security ?
MA Maximum allowed ?
GR Generic read List folder / Read data / List folder / Read data / Read extended attributs / Read permissions
GW Generic write Create files / Write data / Create folders / Append data / Write Attributes / Write extended attributes / Read Permissions
GE Generic execute Traverse folder / Execute file / Read Permissions
GA Generic all All Checked (Full control)
RD Read data/ List directory List Folder / Read data
WD Write data / Add file Create files / Write data
AD Append data / Add subdirectory Create folders / Append data
REA Read extended attributes Read extended attributes
WEA Write extended attributes Write extended attributes
X Execute / Traverse Traverse folder / Execute file
DC Delete child Delete subfolders and files
RA Read attributes Read attributes
WA Write attributes Write attributes


Short form Long Name
Short form Long Name
OI Object inherit
CI Container inherit
IO Inherit only
NP Dont propagate inherit
I permission inherited from parent container

So when you do simple rights in explorer it will select both OI and CI. Which means all files and folders and the current folder.


Remove unwilling B2D device in Backup Exec

So you are using Backup Exec 2012 and are having problems with a ghost B2D folder.. You can’t seem to be able to remove it. You get an error like:

Remove-BEDiskStorageDevice : Unable to delete the disk storage. The device (or Backup Exec server) cannot be deleted because existing jobs or selection lists remain.  You must select another target for these jobs or selection lists before you can delete the device or Backup Exec server.

[Read more…]

Using %USERNAME% in a DFS link path

So I was reading on technet social a question about using environment variables in DFS paths. In this case he wanted to use the %username% variable. I have also thought about how nice that could be, a little magic. And all users could have the same URN for there homedirectory. Just think how nice \\domain.local\dfs\MyHome feels. Well on with the blog, you cant. It doesn’t work. [Read more…]