I have a PowerShell script to set up a user's folders with NTFS, Sharing and DFS. All of it works, however I get this message when setting the NTFS rights.
Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified." At C:\Users\Public\Documents\Scripts\Add-UserFolders.ps1:53 char:1
Code looks like this:
# NTFS Rights
$Acl = (Get-Item $UserFolder).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $UserFolder -AclObject $Acl
$Acl = (Get-Item $ScanFolder).GetAccessControl('Access')
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
$Acl.SetAccessRule($Ar)
Set-Acl -path $ScanFolder -AclObject $Acl
My issue is the the first code block throws the error but the second code block does not even though the format is the same. Running icacls Path\to\folder -verify show no error and the ACL is not modified to add the user object.
Get-Acl was the correct way to go, but I did not use the scripts shown above. By running get-acl , I noticed that one object appeared in the wrong place. Looking into the object, I determined that it was not needed and deleted it from the acl and now everything works just fine.
A VERY good explanation of canonical order is here. Using that showed me where the problem was.