Log/IIS/ULS folder perms

Topics: Feature Requests, Feedback
Aug 21, 2014 at 6:58 PM
Edited Aug 21, 2014 at 6:59 PM
AutoSPInstaller is a great tool -- thank you for creating it for us.

We ran into a bug, or more of an oversight, I think. In our environment, we apply server hardening processes which lock things down significantly, and this caused our Application event log to fill with errors about the log locations not being accessible. We configured E:\Logs\IIS, E:\Logs\ULS and E:\Logs\Usage and got access denied errors on all of them.

The fix was to grant perms to the service account(s) -- I lumped them into a group so I could just grant perms to the group. In the AutoSPInstallerFunctionsCustom.ps1 file, I created a new method named SetFolderPerms, as follows:
function SetFolderPerms([string]$folder)
{
    # Grab the domain and user/group
    $domain = $env:USERDOMAIN
    $group = "rSvc-SharePointSvrFarm"

    # Now set the perms
    Write-Host -ForegroundColor White " - Configuring perms on $folder and subfolders..."
    Try
    {
        # Set FullControl rights. You can set Read, Write or any desired combination.
        $colRights = [System.Security.AccessControl.FileSystemRights]::FullControl

        # Set inheritance so both files and folders within the folder inherit the change. (No need for propagation.)
        $inheritance = [System.Security.AccessControl.InheritanceFlags]'ContainerInherit, ObjectInherit'
        $propagation = [System.Security.AccessControl.PropagationFlags]::None
        
        # This is an allow ACE, not a deny.
        $aceType = [System.Security.AccessControl.AccessControlType]::Allow
        
        # Create the ACE.
        $group = New-Object System.Security.Principal.NTAccount("$domain\$group")
        $groupAce = New-Object System.Security.AccessControl.FileSystemAccessRule($group, $colRights, $inheritance, $propagation, $aceType)

        # Grab the ACL, update it and commit.
        $acl = Get-Acl $folder
        $acl.AddAccessRule($groupAce)
        Set-Acl $folder $acl
        Write-Host -ForegroundColor Green " - Folder perms have been hypertatted"
    }
    Catch
    {
        Write-Host -ForegroundColor Yellow " - Exceptions were detected configuring the perms (they may already be set)"
        Write-Host -ForegroundColor Yellow " - $_"
    }
}
I just had to make one quick edit to AutoSPInstallerFunctions.ps1 in the CompressFolder method. I made it the very last line, so it executes regardless of whether the folder is compressed. It's as follows:
SetFolderPerms $folder
All three logging folders -- ULS, Usage and IIS -- should now get written correctly by your service accounts, even if server hardening has been performed.