Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.