get/set privilege not effective

Topics: Developer Forum, User Forum
Aug 6, 2010 at 7:45 AM

Hello guys,

 i'm writing a securityscript that'll reset the access rights as the should be on a directory tree on wich some users have (sadly) to have full-access

 Psh is launched with adm privileges through the 2k8 rum panel under an accound that have dom adm and backup operator privileges.

 i'm testing on a "worst case scenario" test tree on wich i broke (on purpose) the acls to a state where nobody got access (no DACL at all).

 Even if i give to PSh :

 $priv=get-privilege

$priv.Enable("SeRestorePrivilege")

$priv.Enable("SeBackupPrivilege")

$priv.Enable("SeSecurityPrivilege")

$priv.Enable("SeTakeOwnershipPrivilege")

set-privilege $priv;

->

SeBackupPrivilege                        Enabled

SeRestorePrivilege                       Enabled

SeTakeOwnershipPrivilege            Enabled

SeSecurityPrivilege                       Enabled

 

get-acl and set-acl behaves like these rigths were not effective :

 

Set-Acl : Attempted to perform an unauthorized operation.

At line:1 char:8

+ Set-Acl <<<<  -AclObject $myacl C:\test_tree

    + CategoryInfo          : PermissionDenied: (C:\test_tree:String) [Set-Acl], UnauthorizedAccessException

    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand

 

hummmmmmm any idea ?

Does the original get-acl and set-acl cmdlets drops these privileges ?

This is clearly defeating the pupose of the backup/restore privileges...

 

i'm starting to get a little suspitious....

 

anyone can help or have ideas please ?

 

Thanks a lot