Problems with setting permissions

Nov 26, 2014 at 3:45 PM
OS is Windows 2012 R2 and I just downloaded and installed ntfssecurity and wanted to create home directory for domain users
Procedure is following:

create user home directory
disable inheritance
Disable-NTFSAccessInheritance -Path $UserHomeFolder
remove all permissions
Get-NTFSAccess -Path $UserHomeFolder | Remove-NTFSAccess
set permissions so that user and SYSTEM have Full access and Builtin\Adminstrators list folders permissions
Add-NTFSAccess -Path $UserHomeFolder -AccessRights Fullcontrol -AccessType Allow "NT AUTHORITY\SYSTEM"
Add-NTFSAccess -Path $UserHomeFolder -AccessRights Fullcontrol -AccessType Allow $DomainUser
Add-NTFSAccess -Path $UserHomeFolder -AccessRights ReadAndExecute -AccessType Allow -AppliesTo ThisFolderAndSubfolders "Builtin\Administrators"
set the owner of directory user himself
Set-NTFSOwner -Path $UserHomeFolder $DomainUser

Result is folder, which domain admin can't access even if he is in Builtin\Administrators group
Get-NTFSAccess result is

Account Access Rights Applies to Type IsInherited InheritedFrom

NT AUTHORITY\SYSTEM FullControl ThisFolderSubfoldersAn... Allow False
BUILTIN\Administrators ReadAndExecute SubfolersOnly Allow False
DOM\testuser FullControl ThisFolderSubfoldersAn... Allow False

Why is BUILTIN\Administrators Applies To SubfolersOnly when I specified -AppliesTo ThisFolderAndSubfolders?

Windows explorer Security shows that BUILTIN\Administrators have access "List folder contents" and "Applies to" is "This Folder and Subfolders" but administrator can't access folder
If I do Set-Owner <homefolder> "Builtin\Administrators" then nothing changes
But I can edit permissions now. I go to Security tab, Advanced, select Builtin\Adminstrators, Edit. "Applies to" is "This Folder and Subfolders" and I select something else "This folder only" for example and I change it right back to "This Folder and Subfolders". I click OK, Ok, Ok and I can access folder with same domain admin account which didn't have access earlier.
And Get-NTFSAccess result is same as before

Account Access Rights Applies to Type IsInherited InheritedFrom

NT AUTHORITY\SYSTEM FullControl ThisFolderSubfoldersAn... Allow False
BUILTIN\Administrators ReadAndExec... SubfolersOnly Allow False
DOM\testuser FullControl ThisFolderSubfoldersAn... Allow False

Either I do something wrong or there is some bug somewhere. Right now I went back to SetACL
Nov 27, 2014 at 9:20 AM
After some more time I replaced "ReadAndExecute SubfolersOnly" with "-AccessRights ReadData,ExecuteFile,ReadAttributes,ReadExtendedAttributes,ReadPermissions -AccessType Allow -AppliesTo ThisFolderAndSubfolders" which gives user "List Directory Contents" permission but it still works only after I manually go to Security tab, change something and then back (so nothing really changes) and after applying so made changes I can access the directory.
Coordinator
Dec 9, 2014 at 5:57 PM
The problem seems to be a missing right: Synchronize.

This code works:
$userHomeFolder = mkdir a877777
Disable-NTFSAccessInheritance -Path $UserHomeFolder
Get-NTFSAccess -Path $UserHomeFolder | Remove-NTFSAccess
Add-NTFSAccess -Path $UserHomeFolder -AccessRights Fullcontrol -AccessType Allow "NT AUTHORITY\SYSTEM"

$domainUser = 'a\a877777'
Add-NTFSAccess -Path $UserHomeFolder -AccessRights Fullcontrol -AccessType Allow $DomainUser
Add-NTFSAccess -Path $UserHomeFolder -AccessRights ReadAndExecute, Synchronize -AccessType Allow -AppliesTo ThisFolderAndSubfolders "Builtin\Administrators"
Set-NTFSOwner -Path $UserHomeFolder $DomainUser
However I would consider this to be an issue with NTFSSecurity that I have to fix. The Synchronize right seems mandatory that has to be granted automatically in this situation.

Will work on this, thanks!

-Raimund
Marked as answer by raandree on 12/9/2014 at 10:57 AM