ICACLS add Local Group in powershell

Question

Hi I'm doing some automated folder permissions across servers and I've created a group with the same name on remote machines and i'm trying to grant the group access to a folder but icacls seems to not like local groups, it can't add them to the folder...

For example it adds domain\user, domain\group, builtin\administrators fine

but when i try localmachine\localgroup is chokes... Any ideas?

I am doing this through powershell but I don't think that should be an issue.. I'd get the SID but i'm guessing it's tricky because I'm executing on the remote machine via invoke-command

any ideas?

Thanks!

Answer 1

Try omitting the localmachine\ from localmachine\localgroup. You shouldn't need to specify the local computer name, when you're deploying the icacls command through PowerShell Remoting (specifically Invoke-Command). You might notice in the icacls help that it does not require the computer name as a prefix.

Examples:

        icacls c:\windows\* /save AclFile /T
        - Will save the ACLs for all files under c:\windows
          and its subdirectories to AclFile.

        icacls c:\windows\ /restore AclFile
        - Will restore the Acls for every file within
          AclFile that exists in c:\windows and its subdirectories.

        icacls file /grant Administrator:(D,WDAC)
        - Will grant the user Administrator Delete and Write DAC
          permissions to file.

        icacls file /grant *S-1-1-0:(D,WDAC)
        - Will grant the user defined by sid S-1-1-0 Delete and
          Write DAC permissions to file.