Windows ACLs with AWS Storage Gateway

Question

We are currently using AWS Storage Gateway to get an on-prem SMB mount from an S3 bucket. We have the Storage Gateway running as an on-prem VM and AD-joind and access the SMB share from Windows 10 devices. The problem we are currently facing, is setting the Windows ACLs via Powershell. I'm mounting the SMB share on my local Windows client, and then try to Windows ACLs via Powershell, but it seems nearly impossible to get things working. I can successfully set permissions via Powershell on a folder (or file), but as soon as I want to inherit permissions or reset ACLs from subfolders(and the files in the subfolders), it doesn't work.

My question: Is there anybody with experience/knowledge of setting Windows ACLs programmatically to an SMB mount of the on-prem AWS Storage Gateway? There were already to many hours of work running into nearly nothing...

Thanks and regards!

My question: Is there anybody with experience/knowledge of setting Windows ACLs programmatically to an SMB mount of the on-prem AWS Storage Gateway? There were already to many hours of work running into nearly nothing...

Thanks and regards!

Surya · Answer

Hello,

As you may already aware, to set new Windows access rules using PowerShell, you would need to get the ACL for specified folder/file using [Get-Acl](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2) and then use [Set-Acl](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2).

There doesn't seem to be a native PowerShell command to manage Inheritance and Propagation. You would want to use preserveInheritance and isProtected  .NET class [parameters](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.setaccessruleprotection?view=net-6.0) to manage permissions with the inheritance. here is an [example](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-7.2#example-4-disable-inheritance-and-preserve-inherited-access-rules). Further, you can use these .NET methods [1](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags?view=net-6.0) and [2](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags?view=net-6.0) to manage the Container, Object Inheritance and propagation. For example, `$inheritpermissions = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit"`.

To reset the ACLs, you can add your user to [admin](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_CreateSMBFileShare.html#StorageGateway-CreateSMBFileShare-request-AdminUserList) user list on the SMB file share. Then, with that user, you can take ownership of the file/folder using [SetOwner](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.setowner?view=net-7.0) and then change the permissions. You may also look into using [takeown](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown) command.

Windows ACLs with AWS Storage Gateway

Relevant content