Powershell or CLI – set filesystem and share ACL for computer (not user) AD object

  acl, filesystems, powershell, windows

Back story: I am scripting Windows Failover Cluster setups using fileshare quorum and am having difficulty figuring out how to grant the cluster computer name object (CNO) modify permissions to both the filesystem, and the share itself. While I can run this without error:

Winrs -r:$WitnessFileServer "icacls $WitnessSharePath /grant $DNSDomain$ClusterName$:(M)"

Winrs -r:$WitnessFileServer "Powershell IF (!(Get-SMBShare -Name ""$WitnessShareName"" -ea 0)) {New-SMBShare -Name ""$WitnessShareName"" -Path ""$WitnessSharePath"" -CachingMode None -ReadAccess ""Everyone"" -ChangeAccess ""$DNSDomain$ClusterName$""}"

What happens is that the computername shows up in the ACLs as if it were a domain USER. I need the CNO to have modify rights in both the share perms and the filesystem perms in order for the cluster to be able to use the witness fileshare as its quorum.

Is this possible? I have been web searching and I’m finding lots of info on CLI methods to edit user/group perms for both shares and filesystems but am coming up really empty on computer objects. I realize this is very much an edge case here. 8^)

OS: Domain-attached Windows Server 2019, all current patches.

Source: Windows Questions

LEAVE A COMMENT