Trouble writing to folder with admin rights

eg2428 · April 10, 2023, 6:11pm

I have a folder on all of our computers that I occasionally dump log files or configs to. I create that folder with some PowerShell via BigFix, and apply ACLs to only allow Admin and SYSTEM access:

#Create directory if it does not already exist
$path = "C:\Wagner"
[System.IO.Directory]::CreateDirectory($path)

#Remove inheritance 
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true,$false)

#Allow SYSTEM access
$System = [System.Security.AccessControl.FileSystemAccessRule]::new(
  "SYSTEM",
  "FullControl",
  "ContainerInherit, ObjectInherit", # inheritanceFlags
  "InheritOnly", # propagationFlags
  "Allow"
)
$acl.SetAccessRule($System)

#Allow Admin access
$Admins = [System.Security.AccessControl.FileSystemAccessRule]::new(
  "BUILTIN\Administrators",
  "FullControl",
  "ContainerInherit, ObjectInherit", # inheritanceFlags
  "InheritOnly", # propagationFlags
  "Allow"
)
$acl.SetAccessRule($Admins)

#Remove access that may have been granted to users
$rules = $acl.access | Where-Object { 
    (-not $_.IsInherited) -and 
    $_.IdentityReference -like "AD\*" 
}
ForEach($rule in $rules) {
    $acl.RemoveAccessRule($rule) | Out-Null
}

$acl | Set-Acl $path

If I check the ACLs on an example computer, everything looks correct to me:

PS C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\CustomSite_Wagner\__Download> (Get-ACL C:\Wagner).Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

I can open the folder, enter the admin password, and check everything I need. However, I have an installation failing because it can’t write the log file to that folder.

[...]
createfile until _EOF_
"{parameter "desktopEXE"}" /quiet /norestart /log "c:\Wagner\tableauDesktopInstall.log" ACCEPTEULA=1 ACTIVATE_KEY="{parameter "tableauLicense"}" REMOVEINSTALLEDAPP=1
"{parameter "prepEXE"}" /quiet /norestart /log "c:\Wagner\tableauPrepInstall.log" ACCEPTEULA=1 ACTIVATE_KEY="{parameter "tableauLicense"}"
_EOF_
move __createfile tableauInstaller.bat
waithidden cmd.exe /C tableauInstaller.bat

The fixlet fails with error code -2147023274, which seems to be because the log location is inaccessible. Indeed, if I change the log location in the install command, it completes successfully.

I believe BigFix runs as SYSTEM, which should have full access to my C:\Wagner folder — what could be going wrong?

JasonWalker · April 10, 2023, 10:14pm

I set up a folder the same way, and I cannot access the folder even with my elevated Admin account. I believe the problem is in the PropagationFlags - with InheritOnly, I believe these permissions are set to be inherited only by child files & folders beneath the directory, but I don’t have access to the directory itself.

In each of the two places, if I change the “InheritOnly” to “None” (no special inheritance flags), these permissions are applied to the Wagner folder and inherited to child files and folders. I think that might be the behavior you need.

eg2428 · April 11, 2023, 7:58pm

This looks to be it — I’m able to write logs to my folder again. Thanks!