I have this script file which is currently doing setting the 'Authenticated Users' permissions for an executable to 'ReadAndExecute' - it works fine on Windows 10, but it needs to work on Windows 7 - and it's not:
$file = (Resolve-Path 'c:\Dir\file.exe').Path;
$acl = (Get-Item $file).GetAccessControl('Access');
acl.SetAccessRuleProtection($True, $True);
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule('Authenticated Users', 'Write', 'None', 'None', 'Allow');
$acl.RemoveAccessRuleAll($ar);
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule('Authenticated Users', 'Modify', 'None', 'None', 'Allow');
$acl.RemoveAccessRuleAll($ar);
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule('Authenticated Users', 'ReadAndExecute', 'None', 'None', 'Allow');
$acl.SetAccessRule($ar);
Set-ACL -Path $file -AclObject $acl;
This runs, but it doesn't set the permissions for Authenticated Users, if I change the GetAccessControl
call to not have the 'Access'
parameter, on Win7 I get this error:
The security identifier is not allowed to be the owner of this object.
Is there anyway to achieve what I'm trying to do?
Extra requirements:
- I cannot install another app on the machine, consider it a vanilla install of Win 7
- It has to run non-interactively - as it's part of an unattended install script
AclObj
- and all the stuff in the middle is just getting the Acl - the last line is where I callSet-ACL
- should I do it another way?