Configuring IIS 8.5 via PowerShell: how remove inherit folder authorization

424 views Asked by At

I'm deploying an FTP Server with TLS on IIS 8.5 (Windows Server 2012 R2) with some success but now I'm stuck at this situation.

I can assign FTP Authorizations to the root FTP folder via Powershell using the following method (which reflects inside C:\Windows\System32\inetsrv\config\applicationHost.config exactly in the same way as GUI (IIS Management Console) does it). PS step for this is:

$CsvFtpGroups = $FTPGROUPS -join ','
$Param = @{
    Filter   = "/system.ftpServer/security/authorization"
    Value    = @{
        accessType  = "Allow"
        roles       = "$($CsvFtpGroups)"
        permissions = "Read"
    }
    PSPath   = 'IIS:\'
    Location = $FTPSiteName
}
Add-WebConfiguration @Param

and XML result in applicationHost.config is this:

<location path="FTPServer">
    <system.ftpServer>
        <security>
            <authorization>
                <add accessType="Allow" roles="GROUP1,GROUP2" permissions="Read" />
            </authorization>
        </security>
    </system.ftpServer>
</location>

Now the issue:

I want to remove inheritance for the previous to all subfolders because I need them to have specific authorisations which will be configured next.

When I use IIS Mgmt Console and manually remove this inherited authorisation from all subfolders I get this inside applicationHost.config:

<location path="FTPServer/Folder1">
    <system.ftpServer>
        <security>
            <authorization>
                <remove users="" roles="GROUP1,GROUP2" permissions="Read" />
            </authorization>
        </security>
    </system.ftpServer>
</location>

And I can't add anything similar via PowerShell.

I've already tried this to no avail:

Remove-WebConfigurationProperty -PsPath "IIS:\" -Location "$($FTPSiteName)/$($FTPSubFolder1)" -Filter "system.ftpServer/security/authorization" -Name "." -AtElement @{users="";roles="$($roles)";permissions="Read"}

And also tried 'Adding' a 'remove' statement:

Add-WebConfigurationProperty -PsPath 'MACHINE/WEBROOT/APPHOST' -location "FTPServer/Folder1" -Filter "system.ftpServer/security/authorization/remove" -name "." -value @{users="";roles="GROUP1,GROUP2";permissions="Read"}

And finally also tried with:

Set-ItemProperty -Path "FTPServer/Folder1" -Name "system.ftpServer.security.authorization.remove" -Value @{users="";roles="GROUP1,GROUP2";permissions="Read"}

None of these worked. What can I try next?

2

There are 2 answers

0
Bruce Zhang On BEST ANSWER

I will provide you with severalexamples, you can modify some parts according to your needs.

This statement can add new authorization to subfile.

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'FTPServer/Folder1' -filter "system.ftpServer/security/authorization" -name "." -value @{accessType='Allow';roles='GROUP3';permissions='Read,Write'}

This statement can remove the authorization rules of the sub-file inherited from the root folder.

Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST' -location 'FTPServer/Folder1' -filter "system.ftpServer/security/authorization" -name "." -AtElement @{users='';roles='GROUP1,GROUP2';permissions='1'}
1
rofz On

Thanks everyone and @Bruce Zhang. I ended up using 'Clear-WebConfiguration' (twice due to an already reported bug) to clear inheritance, and then adding custom authorization to the sub-folders afterwards.

But I can confirm that Bruce's suggestion:

Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST' -location 'FTPServer/Folder1' -filter "system.ftpServer/security/authorization" -name "." -AtElement @{users='';roles='GROUP1,GROUP2';permissions='1'}

works perfectly!

Thanks again.