dsacls - Invalid DN Syntax in powershell

Question

I am trying to modify the servicePrincipalName permission within powershell script using the 'dsacls' command.

I am taking all the dynamic parameter as script arguments.

The script is not working when I form a command with the arguments variable I received. There is something I am missing with string manipulation.

 $perStr ='"' + $strDN + '"' + ' /G ' + $DomainNetBIOSName + '\' + $SQLUser + ':RPWP;"servicePrincipalName"'

  $ret = dsacls ${perStr}

The above gives an error:

Invalid DN Syntax

When I run with hardcoded values it runs fine.

Does this work? `dsacls $strDN /G ("{0}\{1}:RPWP;servicePrincipalName" -f $DomainNetBIOSName, $SQLUser)` — Bill_Stewart, Dec 04 '17 at 22:22

score 1 · Accepted Answer · answered Dec 04 '17 at 22:31

When I have a hard time constructing strings to use with external executables I tend to build the entire command and then use Invoke-Expression to run it. Something like this:

$perStr = '& dsacls --% "{0}" /G {1}\{2}:RPWP;"servicePrincipalName"' -f $strDN, $DomainNetBIOSName, $SQLUser
$ret = Invoke-Expression -Command $perStr

The --% will tell it to stop interpreting things beyond that point so it will take all arguments exactly as typed and pass them to the command. See if that works for you, and if not you may want to look at the content of $perStr to make sure that it looks right to you.

If this answer has resolved your issue please mark it as accepted to assist future users in locating it if they have a similar problem. — TheMadTechnician, Dec 04 '17 at 23:26

dsacls - Invalid DN Syntax in powershell

1 Answers1