Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule ·

I’m writing my own little module to help remove sidhistories on mainy fileservers. But i’m thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

$acl = New-Object System.Security.AccessControl.Directorysecurity
$acl.SetSecurityDescriptorSddlForm('O:BAG:BAD:PAI(A;OICIIO;SDGXGWGR;;;AU)','All')

This went without a hitch. So lets see how .NET interprets the only ACE in the ACL above:

PS C:\Users\virot>$acl.access

FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376. SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

PS C:\Users\virot> [System.Security.AccessControl.FileSystemAccessRule]::new([System.Security.Principal.SecurityIdentifier]::new('BA'), $acl.access[0].FileSystemRights, $acl.access[0].AccessControlType)
Exception calling ".ctor" with "3" argument(s): "The value '-536805376' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights"
At line:1 char:1
+ [System.Security.AccessControl.FileSystemAccessRule]::new([System.Sec ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.