Setting NTFS rights via P/S and getting Canonical Form error

Question

I have a PowerShell script to set up a user's folders with NTFS, Sharing and DFS. All of it works, however I get this message when setting the NTFS rights.

Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified." At C:\Users\Public\Documents\Scripts\Add-UserFolders.ps1:53 char:1

Code looks like this:

# NTFS Rights
$Acl = (Get-Item $UserFolder).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $UserFolder -AclObject $Acl

$Acl = (Get-Item $ScanFolder).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $ScanFolder -AclObject $Acl

My issue is the the first code block throws the error but the second code block does not even though the format is the same. Running icacls Path\to\folder -verify show no error and the ACL is not modified to add the user object.

Why not use `Get-help -Name `Get-Acl -Full` (vs Get-Item)? Why not use the purposed built module for your use case. `Find-Module -Name '*NTFS*'`, which make this use case easier. Specifically the NTFSSecurity module. — postanote, Jan 30 '21 at 09:30

score 0 · Answer 1 · answered Jan 30 '21 at 13:58

This error probably means the ACL is incorrectly ordered and to repair that, you can use my function
Repair-DirectoryPermissions

Next I would advise using Get-Acl

Try:

# create the new access rule
# see: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemaccessrule
$rule = [System.Security.AccessControl.FileSystemAccessRule]::new($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')

$Acl = Get-Acl -LiteralPath $UserFolder
$Acl.SetAccessRule($rule)
$Acl | Set-Acl -LiteralPath $UserFolder

$Acl = Get-Acl -LiteralPath $ScanFolder
$Acl.SetAccessRule($rule)
$Acl | Set-Acl -LiteralPath $ScanFolder

score 0 · Accepted Answer · answered Feb 22 '21 at 16:53

Get-Acl was the correct way to go, but I did not use the scripts shown above. By running get-acl , I noticed that one object appeared in the wrong place. Looking into the object, I determined that it was not needed and deleted it from the acl and now everything works just fine.

A VERY good explanation of canonical order is here. Using that showed me where the problem was.

Setting NTFS rights via P/S and getting Canonical Form error

2 Answers2