Hopsta Posted April 11, 2016 Report Share Posted April 11, 2016 Hi, Been pulling my hair out trying to script the setup of folder permissions for use with custom IIS App Pools. As the user is not a proper system user i'm struggling to get this working, google isn't throwing up much so thought i'd try here. Sample of script below $mypath = 'c:\inetpub\mysite\files' $Acl = Get-Acl $mypath Set-Acl $mypath $Acl $Acl = Get-Acl $mypath $user = New-Object System.Security.Principal.NTAccount("iis apppool\myapppool") $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("$user","Modify", "ContainerInherit, ObjectInherit", "None", "Allow") $Acl.SetAccessRule($Ar) Set-Acl $mypath $Acl errors with Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated." At line:7 char:1 + $Acl.SetAccessRule($Ar) + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: ( [], MethodInvocationException + FullyQualifiedErrorId : IdentityNotMappedException Link to comment Share on other sites More sharing options...
Mac Posted April 12, 2016 Report Share Posted April 12, 2016 (edited) Where is this from? $user = New-Object System.Security.Principal.NTAccount("iis apppool\myapppool") You can't set a user context as an IIS pool property? That's trying to set the $user as user 'iis apppool\myapppool'. Usually that would be a username of some sort. Like this: $user = New-Object System.Security.Principal.NTAccount("domainname","username") Edited April 12, 2016 by Mac Link to comment Share on other sites More sharing options...
Mac Posted April 12, 2016 Report Share Posted April 12, 2016 (edited) So you're trying to modify the ACL of that folder, with that user. You won't be able to do it that way. You'll either need to work with the SID of the user (or simulate one for the app pool I imagine), or just cheat and use powershell to call iACLs instead, far easier. Edited April 12, 2016 by Mac Link to comment Share on other sites More sharing options...
Mac Posted April 12, 2016 Report Share Posted April 12, 2016 So...something like this: cmd /c icacls "$mypath” /grant ("IIS AppPool\myAppPool:(OI)(CI)M") You may want to add: /c to continue even after errors /t for recursion down the structure Link to comment Share on other sites More sharing options...
Mac Posted April 12, 2016 Report Share Posted April 12, 2016 I bored myself. Link to comment Share on other sites More sharing options...
Arch Posted April 12, 2016 Report Share Posted April 12, 2016 Have you tried turning it off, and on again? 5 Link to comment Share on other sites More sharing options...
E-bmw Posted April 12, 2016 Report Share Posted April 12, 2016 Normally works for me too. Link to comment Share on other sites More sharing options...
Hopsta Posted April 12, 2016 Author Report Share Posted April 12, 2016 Thanks Mac, the user is dynamic so needed to be parametrised as part of the run time. Finally worked it out this morning and also realised I was calling bits before they were declared, joys of late night scripting on the sofa :smashfreak: Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now