Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, June 16, 2015 3:57 PM
I am attempting to use the script outlined in this article: https://technet.microsoft.com/en-us/library/ff730951.aspx
$colRights = [System.Security.AccessControl.FileSystemRights]::FullControl
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("wingroup\kenmyer")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, "ContainerInherit,ObjectInherit", $PropagationFlag, $objType)
$objACL = Get-ACL "C:\Scripts\Test.ps1"
$objACL.AddAccessRule($objACE)
Set-ACL "C:\Scripts\Test.ps1" $objACL
However, when I use the ContainerInherit,ObjectInherit flags with the Set-ACL command, I only get the permission for "Subfolders and files". If I use "None", I only get "This folder"
I have not been able to figure out how to get "This folder, subfolders and files" using the InheritanceFlags.
No matter what I do I cannot get the command to follow what I can do manually through the Windows Explorer UI.
Please advise as to how to accomplish this using PowerShell.
Thanks.
All replies (2)
Tuesday, June 16, 2015 5:39 PM ✅Answered
To force propagation to all files and subfolders use this version:
$ace=New-Object System.Security.AccessControl.FileSystemAccessRule ('omega\testuser', 'FullControl','ContainerInherit,ObjectInherit', 'NoPropagateInherit', 'Allow')
\(ツ)_/
Tuesday, June 16, 2015 5:29 PM
Two thgings.
1) Files do not have propagation flags so the code cannot set that on the file you have specified.
2) We want to propagate so this is what we would do.
$ace=New-Object System.Security.AccessControl.FileSystemAccessRule('omega\testuser','FullControl','ContainerInherit,ObjectInherit','None','Allow')
$acl = Get-ACL C:\Scripts
$acl.AddAccessRule($ace)
Set-ACL C:\Scripts $acl
Avoid adding "obj" to everything. It is pointless and hasn't been used for 20 years except by those who don't understand what it means.
As you can see we can use strings instead of types. It is more compact and reduces the clutter in your code.
\(ツ)_/