Table of Contents
If you, as the administrator of the Windows file server, no longer have full access rights to certain directories, you can still manage the rights with Powershell in combination with the role "Backup Operator" or "Backup Operator".
This is possible because the local security policy gives the backup operators user rights at the operating system level, which can bypass the settings of the ACL.
Unfavorable: Regain full access rights by taking ownership of the files and directories.
As the local administrator of the server, you have the right to override the owner for the directories or files.
Use "Change" to select an administrator's account. This will then also have the authorization to manage the ACL again via the interface.
DISADVANTAGE: This action will lose the original information of the creator of the file. However, this information is very important if you want to understand who is actually working in a directory and creating files.
Optimal: Set ACE as backup operator via Powershell
Via the local user rights of the Windows operating system
- Back up files and directories
- Restoring files and directories
gain operating system level permissions that can manipulate the ACL without having to be in an ACL.
To do this, enter the account with which you then want to manage the rights in the group of backup operators or give the account the rights directly via the local security policy.
(Get-ACL -Path "C:\Docs\").access | Format-Table -AutoSize
Without the right, the message appears:
get-acl : Es wurde versucht, einen nicht autorisierten Vorgang auszuführen.
In Zeile:1 Zeichen:2
+ (get-acl \\srv-fs-01\home\uwe\testPrivUAADMIN).Access
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
The backup operators can be controlled locally or via the domain.
Set permissions via Set-ACL Powershell as backup operator
$acl=(get-acl "c:\Docs") ;
$ace=new-object Security.AccessControl.FileSystemAccessRule ("Domain\Ihr_Adminaccount", "FullControl", "ContainerInherit,ObjectInherit", "InheritOnly", "Allow")
$acl.AddAccessRule($ace)Remotely set permissions as Backup Operator via Powershell Invoke-Command
Invoke the Powershell command with Invoke-Command. This transfers the command to the server and executes it locally.
Invoke-Command -ComputerName srv-fs-01 -ScriptBlock {get-acl \\srv-fs-01\Share\Verzeichnis}