question

ChristopherTodd-0983 avatar image
0 Votes"
ChristopherTodd-0983 asked MotoX80 commented

Set-Acl folder permissions failed Error Code 87

 $SAMname = "zPink.Panther"
 $FullUserInfo = Get-ADUser -Filter "UserPrincipalName -eq 'John.Doe@company.com'" -Properties SamAccountName,EmailAddress
 $FullUser = ($FullUserInfo).SamAccountName
 $ACLPathFull = "\\server\path\$SAMname"
 $Rights = [System.Security.AccessControl.FileSystemRights]::FullControl
 $Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
 $Propogation = [System.Security.AccessControl.PropagationFlags]::None
 $Access = [System.Security.AccessControl.AccessControlType]::Allow
 $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$FullUser",$Rights,$Inherit,$Propogation,$Access)
 $ACL = Get-Acl $ACLPathFull
 Start-Sleep 2
 $ACL.AddAccessRule($AccessRule)
 Start-Sleep 2
 Set-Acl $ACLPathFull $ACL

Set-Acl will generate the following error (see attached or typed out version below)

Set-Acl : Method failed with unexpected error code 87.
At line:1 char:1
+ Set-Acl $ACLPathFull $ACL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (\\server\path\zPink.Panther:String) [Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand


Server 1 - Does not work and gives the above error
Powershell Version : 5.1.14393.4350
Server 2016 v1607


Server 2 - Does work with no issues
Version : 5.1.17763.1852
Server 2019 v1809


I am admin on both servers, they are both trying to change the folder permissions the same way
Any feedback would be greatly appreciated.
Or is it as simple as the above versions are the cause?

whoami /priv has the same output

windows-server-powershellwindows-server-2019windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 commented

Instead of processing a network share, try using invoke-command and run that portion of the script on the target server itself against the local drive letter.

  $SAMname = "zPink.Panther"
  $FullUserInfo = Get-ADUser -Filter "UserPrincipalName -eq 'John.Doe@company.com'" -Properties SamAccountName,EmailAddress
  $FullUser = ($FullUserInfo).SamAccountName
  $ACLPathFull = "E:\Users\$SAMname"
  invoke-command -ComputerName server-name -ScriptBlock {
       $Rights = [System.Security.AccessControl.FileSystemRights]::FullControl
      $Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
      $Propogation = [System.Security.AccessControl.PropagationFlags]::None
      $Access = [System.Security.AccessControl.AccessControlType]::Allow
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$using:FullUser",$Rights,$Inherit,$Propogation,$Access)
      $ACL = Get-Acl $using:ACLPathFull
      Start-Sleep 2
      $ACL.AddAccessRule($AccessRule)
      Start-Sleep 2
      Set-Acl $ACLPathFull $ACL
 }
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I went ahead and tried that for grins.
Received some invoke errors (some values are null) I edited the script to allow it to pass values through but same result

I tried on the local server and it sets it just fine
The other thing that still puzzles me is the fact I can run it from the 2019 server to UNC path no issue...

0 Votes 0 ·
MotoX80 avatar image MotoX80 ChristopherTodd-0983 ·

If you RDP to the problem server and run Powershell locally, do you get the same error?

Have you looked at or ran a verify on the permissions?

 icacls E:\Users\zPink.Panther /verify

Can icacls grant access?

 icacls E:\Users\zPink.Panther /grant "MyDomain\MyUser":(OI)(CI)(F)




0 Votes 0 ·

Hello,

Thanks for the reply.

Running the verify to the UNC path does successfully process.
Running the grant generated an error - It does not appear to recognize (OI)(CI)(F)


The grant command does not work on the working server 2019 either

0 Votes 0 ·
Show more comments