Super User Asked by Monstieur on February 12, 2021
I joined Windows 10 to Azure Active Directory and signed in with my Azure AD email address and password.
whoami
returns AzureAD<Full Name>
and the NTFS permissions of the user profile folder also show the folder owner as AzureAD<Full Name>
. The user has a profile folder called Users<Full Name>
.
However I am unable to select this user at all in the Select a principal
dialog when I want to grant permissions to other folders. What is the correct syntax for Azure AD users?
When using just Azure AD accounts, there are no user accounts at all in in Local Users
(unlike a Microsoft Account which is linked to a local user).
@Hrvoje Kusulja's answer has the right concept but has a bug as SetAccessRule
doesn't return the ACL object that it was called on.
The fix is to assign the ACL to a variable so that after SetAccessRule
is called we still have a reference to it to pass to Set-ACL
.
$path = "C:myfolder"
$permission = "[email protected]","FullControl","Allow"
$acl = (Get-Acl $path)
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule $permission))
$acl | Set-Acl $path
Answered by Chris Magnuson on February 12, 2021
There is a typo in Jesus's script.
Set-Acl : Cannot bind argument to parameter 'Path' because it is null.
At line:6 char:19
+ Set-Acl -path $Path -AclObject $Acl
+ ~~~~~
+ CategoryInfo : InvalidData: (:) [Set-Acl], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand
This is an updated script:
$dir = get-item -Path 'C:usersjshelbyDesktoptestdir'
$acl = $dir.GetAccessControl('Access')
$username = 'domainusername'
$AccessRights = New-Object System.Security.AccessControl.FileSystemAccessRule($Username,'Modify','ContainerInherit,ObjectInherit','None','Allow')
$Acl.SetAccessRule($AccessRights)
Set-Acl -path $dir -AclObject $Acl
Also, I tried this first on PowerShell Core. $dir.GetAccessControl()
does not seem to exist in PowerShell Core, only Windows PowerShell.
Answered by user1056722 on February 12, 2021
You can use this short PowerShell example which is tested on Windows 10, build 1809, which is Azure Active Directory registered. Please modify $path to your local folder, and for $permission you can use any Azure AD user, but username must be in AzureADupn format (example [email protected])
$path = "C:myfolder"
$permission = "[email protected]","FullControl","Allow"
(Get-Acl $path).SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule $permission)) | Set-Acl $path
Answered by Hrvoje Kusulja on February 12, 2021
Newer versions show the actual domain name, but the same issue still exists. You can use Powershell to set the permissions.
$dir = get-item -Path 'C:usersjshelbyDesktoptestdir'
$acl = $dir.GetAccessControl('Access')
$username = 'domainusername'
$AccessRights = New-Object System.Security.AccessControl.FileSystemAccessRule($Username,'Modify','ContainerInherit,ObjectInherit','None','Allow')
$Acl.SetAccessRule($AccessRights)
Set-Acl -path $Path -AclObject $Acl
Answered by Jesus Shelby on February 12, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP