[Community] Revoke-Permission fails if the identity has multiple ACEs

Create issue
Issue #221 closed
bozho_ created an issue

Get-Permission on line ~86 in Revoke-Permission.ps1 returns an array if an identity has multiple ACEs.

In that case, $ruleToRemove will be an array and calls to $keySecurity.RemoveAccessRule or $currentAcl.RemoveAccessRule will fail.

Comments (6)

  1. Aaron Jensen repo owner

    I'd like to write a test case to ensure this stays fixed and that the fix works. Do you know how someone would have multiple ACEs?

  2. bozho_ reporter

    If I remember correctly, we had a scenario where the Users group had both a set of inherited permissions on a folder and a non-inherited set of permissions.

    We hit the bug because a part of our DSC config disables inheritance on a folder, removes all permissions for the Users group and assigns a specific set of permissions for a different group.

    Disabling the inheritance would result in the Users group having two ACEs on that folder. I can look up the exact scenario on Monday.

  3. Aaron Jensen repo owner

    No worries. I found a way to mimic that behavior without needing to strictly reproduce it. Pester mocks for the win!

  4. Log in to comment