Powershell – How to configure permissions for a cluster share using Powershell on 2008

powershellwindows-clusterwindows-server-2008-r2

I have a cluster resource of type "file share" but when I try to configure the "security" parameter I get the following error (excerpt):

Set-ClusterParameter : Parameter 'security' does not exist on the cluster object

Using cluster.exe I get a better result, namely the usual nothing when the command worked. But when I check in Failover Cluster Manager the permissions have not changed. In Server 2003 the cluster.exe method worked.

Any ideas?

Update:

Entire command and error.

PS C:\> $resource=get-clusterresource testshare
PS C:\> $resource

Name                          State                         Group                         ResourceType
----                          -----                         -----                         ------------
testshare                     Offline                       Test                          File Share


PS C:\> $resource|set-clusterparameter security "domain\account,grant,f"
Set-ClusterParameter : Parameter 'security' does not exist on the cluster object 'testshare'. If you are trying to upda
te an existing parameter, please make sure the parameter name is specified correctly. You can check for the current par
ameters by passing the .NET object received from the appropriate Get-Cluster* cmdlet to "| Get-ClusterParameter". If yo
u are trying to update a common property on the cluster object, you should set the property directly on the .NET object
 received by the appropriate Get-Cluster* cmdlet. You can check for the current common properties by passing the .NET o
bject received from the appropriate Get-Cluster* cmdlet to "| fl *". If you are trying to create a new unknown paramete
r, please use -Create with this Set-ClusterParameter cmdlet.
At line:1 char:31
+ $resource|set-clusterparameter <<<<  security "domain\account,grant,f"
    + CategoryInfo          : NotSpecified: (:) [Set-ClusterParameter], ClusterCmdletException
    + FullyQualifiedErrorId : Set-ClusterParameter,Microsoft.FailoverClusters.PowerShell.SetClusterParameterCommand

Best Answer

I found an easy-to-use and obvious answer. It's so simple one might not believe it's a Microsoft solution.

$permissions is an array of permissions containing an account (domain\user), a permission (fullcontrol) and a type (allow).

# create access rule based on permissions
$rule = new-object system.security.accesscontrol.filesystemaccessrule $permissions

# get an acl, remove access rules, add our rule
$acl = get-acl "c:\" # need to get acl from root of drive to avoid inheritance
$acl.access | foreach-object {$acl.removeaccessrule($_)}
$acl.setaccessrule($rule)

# get security descriptor from acl and convert to binary security descriptor
$sddl = $acl.sddl
$sdhelper = [wmiclass]"win32_securitydescriptorhelper"
$binarysd = ($sdhelper.sddltobinarysd($sddl)).binarysd

# get cluster resources from registry
$resources = get-childitem "hklm:\cluster\resources"

# ...with paths that powershell will understand
$resources = $resources | foreach-object {$_.pspath}

# find clustershare resource path
$resource = $resources | where-object {(get-itemproperty $_ name).name -eq $clustershare}

# derive path to resource parameters
$parameters = "$resource\parameters"

# configure security descriptor
set-itemproperty $parameters "security descriptor" $binarysd

It really is that simple.

Only problem is, this only works for one node and has to be repeated on every node. It does survive failovers (and the permissions set on a node will reappear when the share fails back to the node). Plus it only works for "fullcontrol", not for "read" or other permissions. Don't know why.

I won't accept this as an answer because it really isn't. But it appears to be the closest to a solution to this problem with in Windows Server 2003 simply didn't exist (cluster.exe could set share permissions) and that Microsoft don't seem to address ANYWHERE.

Related Topic